summaryrefslogtreecommitdiff
path: root/modules
Commit message (Collapse)AuthorAge
...
* pam_access: Avoid uninitialized access of line.Tomas Mraz2014-08-13
| | | | | * modules/pam_access/pam_access.c (login_access): Reorder condition so line is not accessed when uninitialized.
* pam_lastlog: Properly clean up last_login structure before use.Tomas Mraz2014-08-05
| | | | | modules/pam_lastlog/pam_lastlog.c (last_login_write): Properly clean up last_login structure before use.
* Make pam_pwhistory and pam_unix tolerant of corrupted opasswd file.Tomas Mraz2014-07-21
| | | | | | | * modules/pam_pwhistory/opasswd.c (parse_entry): Test for missing fields in opasswd entry and return error. * modules/pam_unix/passverify.c (save_old_password): Test for missing fields in opasswd entry and skip it.
* pam_limits: nofile refers to file descriptors not filesTomas Mraz2014-06-19
| | | | | modules/pam_limits/limits.conf.5.xml: Correct documentation of nofile limit. modules/pam_limits/limits.conf: Likewise.
* pam_limits: clarify documentation of maxlogins and maxsyslogins limits.Tomas Mraz2014-06-19
| | | | | modules/pam_limits/limits.conf.5.xml: clarify documentation of maxlogins and maxsyslogins limits.
* pam_unix: Check for NULL return from Goodcrypt_md5().Tomas Mraz2014-06-19
| | | | | modules/pam_unix/pam_unix_passwd.c (check_old_password): Check for NULL return from Goodcrypt_md5().
* pam_unix: check for NULL return from malloc()Tomas Mraz2014-06-19
| | | | * modules/pam_unix/md5_crypt.c (crypt_md5): Check for NULL return from malloc().
* pam_loginuid: Document one more possible case of PAM_IGNORE return.Tomas Mraz2014-05-22
| | | | | modules/pam_loginuid/pam_loginuid.8.xml: Document one more possible case of PAM_IGNORE return value.
* pam_loginuid: Document other possible return values.Tomas Mraz2014-05-22
| | | | | modules/pam_loginuid/pam_loginuid.8.xml: Document the possible return values.
* pam_timestamp: fix potential directory traversal issue (ticket #27)Dmitry V. Levin2014-03-26
| | | | | | | | | | | | | | | pam_timestamp uses values of PAM_RUSER and PAM_TTY as components of the timestamp pathname it creates, so extra care should be taken to avoid potential directory traversal issues. * modules/pam_timestamp/pam_timestamp.c (check_tty): Treat "." and ".." tty values as invalid. (get_ruser): Treat "." and ".." ruser values, as well as any ruser value containing '/', as invalid. Fixes CVE-2014-2583. Reported-by: Sebastian Krahmer <krahmer@suse.de>
* pam_userdb: document that .db suffix should not be usedTomas Mraz2014-03-20
| | | | | modules/pam_userdb/pam_userdb.8.xml: Document that .db suffix should not be used and correct the example.
* pam_selinux: canonicalize user nameTomas Mraz2014-03-11
| | | | | | SELinux expects canonical user name for example without domain component. * modules/pam_selinux/pam_selinux.c (compute_exec_context): Canonicalize user name with pam_modutil_getpwnam().
* Introduce pam_modutil_sanitize_helper_fdsDmitry V. Levin2014-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This change introduces pam_modutil_sanitize_helper_fds - a new function that redirects standard descriptors and closes all other descriptors. pam_modutil_sanitize_helper_fds supports three types of input and output redirection: - PAM_MODUTIL_IGNORE_FD: do not redirect at all. - PAM_MODUTIL_PIPE_FD: redirect to a pipe. For stdin, it is implemented by creating a pipe, closing its write end, and redirecting stdin to its read end. Likewise, for stdout/stderr it is implemented by creating a pipe, closing its read end, and redirecting to its write end. Unlike stdin redirection, stdout/stderr redirection to a pipe has a side effect that a process writing to such descriptor should be prepared to handle SIGPIPE appropriately. - PAM_MODUTIL_NULL_FD: redirect to /dev/null. For stdin, it is implemented via PAM_MODUTIL_PIPE_FD because there is no functional difference. For stdout/stderr, it is classic redirection to /dev/null. PAM_MODUTIL_PIPE_FD is usually more suitable due to linux kernel security restrictions, but when the helper process might be writing to the corresponding descriptor and termination of the helper process by SIGPIPE is not desirable, one should choose PAM_MODUTIL_NULL_FD. * libpam/pam_modutil_sanitize.c: New file. * libpam/Makefile.am (libpam_la_SOURCES): Add it. * libpam/include/security/pam_modutil.h (pam_modutil_redirect_fd, pam_modutil_sanitize_helper_fds): New declarations. * libpam/libpam.map (LIBPAM_MODUTIL_1.1.9): New interface. * modules/pam_exec/pam_exec.c (call_exec): Use pam_modutil_sanitize_helper_fds. * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Likewise. * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise. * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise. * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise. * modules/pam_xauth/pam_xauth.c (run_coprocess): Likewise. * modules/pam_unix/support.h (MAX_FD_NO): Remove.
* pam_xauth: avoid potential SIGPIPE when writing to xauth processDmitry V. Levin2014-01-27
| | | | | | | Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8. * modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process, close the read end of input pipe after writing to its write end.
* pam_loginuid: log significant loginuid write errorsDmitry V. Levin2014-01-27
| | | | | * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors during /proc/self/loginuid update that are not ignored.
* Fix gratuitous use of strdup and x_strdupDmitry V. Levin2014-01-27
| | | | | | | | | | | | | | | | | | | | | | | | | There is no need to copy strings passed as arguments to execve, the only potentially noticeable effect of using strdup/x_strdup would be a malformed argument list in case of memory allocation error. Also, x_strdup, being a thin wrapper around strdup, is of no benefit when its argument is known to be non-NULL, and should not be used in such cases. * modules/pam_cracklib/pam_cracklib.c (password_check): Use strdup instead of x_strdup, the latter is of no benefit in this case. * modules/pam_ftp/pam_ftp.c (lookup): Likewise. * modules/pam_userdb/pam_userdb.c (user_lookup): Likewise. * modules/pam_userdb/pam_userdb.h (x_strdup): Remove. * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Do not use x_strdup for strings passed as arguments to execve. * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise. * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise. * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise. (_unix_verify_password): Use strdup instead of x_strdup, the latter is of no benefit in this case. * modules/pam_xauth/pam_xauth.c (run_coprocess): Do not use strdup for strings passed as arguments to execv.
* pam_userdb: fix password hash comparisonDmitry V. Levin2014-01-27
| | | | | | | | | | | | | | | | | | | | Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed passwords support in pam_userdb, hashes are compared case-insensitively. This bug leads to accepting hashes for completely different passwords in addition to those that should be accepted. Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for modern password hashes with different lengths and settings, did not update the hash comparison accordingly, which leads to accepting computed hashes longer than stored hashes when the latter is a prefix of the former. * modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed hash whose length differs from the stored hash length. Compare computed and stored hashes case-sensitively. Fixes CVE-2013-7041. Bug-Debian: http://bugs.debian.org/731368
* pam_xauth: log fatal errors preventing xauth process executionDmitry V. Levin2014-01-24
| | | | | * modules/pam_xauth/pam_xauth.c (run_coprocess): Log errors from pipe() and fork() calls.
* pam_loginuid: cleanup loginuid buffer initializationDmitry V. Levin2014-01-22
| | | | | * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Move loginuid buffer initialization closer to its first use.
* pam_limits: fix utmp->ut_user handlingDmitry V. Levin2014-01-20
| | | | | | | | | ut_user member of struct utmp is a string that is not necessarily null-terminated, so extra care should be taken when using it. * modules/pam_limits/pam_limits.c (check_logins): Convert ut->UT_USER to a null-terminated string and consistently use it where a null-terminated string is expected.
* pam_mkhomedir: check and create home directory for the same user (ticket #22)Dmitry V. Levin2014-01-20
| | | | | | | | | | | | | | | | | | | | | Before pam_mkhomedir helper was introduced in commit 7b14630ef39e71f603aeca0c47edf2f384717176, pam_mkhomedir was checking for existance and creating the same directory - the home directory of the user NAME returned by pam_get_item(PAM_USER). The change in behaviour accidentally introduced along with mkhomedir_helper is not consistent: while the module still checks for getpwnam(NAME)->pw_dir, the directory created by mkhomedir_helper is getpwnam(getpwnam(NAME)->pw_name)->pw_dir, which is not necessarily the same as the directory being checked. This change brings check and creation back in sync, both handling getpwnam(NAME)->pw_dir. * modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Replace "struct passwd *" argument with user's name and home directory. Pass user's name to MKHOMEDIR_HELPER. (pam_sm_open_session): Update create_homedir call.
* pam_limits: detect and ignore stale utmp entriesTomas Mraz2014-01-20
| | | | | | | | Original idea by Christopher Hailey * modules/pam_limits/pam_limits.c (check_logins): Use kill() to detect if pid of the utmp entry is still running and ignore the entry if it is not.
* pam_loginuid: Always return PAM_IGNORE in usernsStéphane Graber2014-01-18
| | | | | | | | | | | | | | | | | | | | | | | | | The previous patch to support user namespaces works fine with containers that are started from a desktop/terminal session but fails when dealing with containers that were started from a remote session such as ssh. I haven't looked at the exact reason for that in the kernel but on the userspace side of things, the difference is that containers started from an ssh session will happily let pam open /proc/self/loginuid read-write, will let it read its content but will then fail with EPERM when trying to write to it. So to make the userns support bullet proof, this commit moves the userns check earlier in the function (which means a small performance impact as it'll now happen everytime on kernels that have userns support) and will set rc = PAM_IGNORE instead of rc = PAM_ERROR. The rest of the code is still executed in the event that PAM is run on a future kernel where we have some kind of audit namespace that includes a working loginuid. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Signed-off-by: Steve Langasek <vorlon@debian.org> Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
* pam_namespace: don't use bashisms in default namespace.init scriptSteve Langasek2014-01-15
| | | | | | | | | | | | | | | | | | | | | | | | | * modules/pam_namespace/pam_namespace.c: call setuid() before execing the namespace init script, so that scripts run with maximum privilege regardless of the shell implementation. * modules/pam_namespace/namespace.init: drop the '-p' bashism from the shebang line This is not a POSIX standard option, it's a bashism. The bash manpage says that it's used to prevent the effective user id from being reset to the real user id on startup, and to ignore certain unsafe variables from the environment. In the case of pam_namespace, the -p is not necessary for environment sanitizing because the PAM module (properly) sanitizes the environment before execing the script. The stated reason given in CVS history for passing -p is to "preserve euid when called from setuid apps (su, newrole)." This should be done more portably, by calling setuid() before spawning the shell. Signed-off-by: Steve Langasek <vorlon@debian.org> Bug-Debian: http://bugs.debian.org/624842 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323
* pam_loginuid: Ignore failure in user namespacesStéphane Graber2014-01-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When running pam_loginuid in a container using the user namespaces, even uid 0 isn't allowed to set the loginuid property. This change catches the EACCES from opening loginuid, checks if the user is in the host namespace (by comparing the uid_map with the host's one) and only if that's the case, sets rc to 1. Should uid_map not exist or be unreadable for some reason, it'll be assumed that the process is running on the host's namespace. The initial reason behind this change was failure to ssh into an unprivileged container (using a 3.13 kernel and current LXC) when using a standard pam profile for sshd (which requires success from pam_loginuid). I believe this solution doesn't have any drawback and will allow people to use unprivileged containers normally. An alternative would be to have all distros set pam_loginuid as optional but that'd be bad for any of the other potential failure case which people may care about. There has also been some discussions to get some of the audit features tied with the user namespaces but currently none of that has been merged upstream and the currently proposed implementation doesn't cover loginuid (nor is it clear how this should even work when loginuid is set as immutable after initial write). Signed-off-by: Steve Langasek <vorlon@debian.org> Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
* pam_loginuid: return PAM_IGNORE when /proc/self/loginuid does not existDmitry V. Levin2014-01-10
| | | | | | | | | | | | | When /proc/self/loginuid does not exist, return PAM_IGNORE instead of PAM_SUCCESS, so that we can distinguish between "loginuid set successfully" and "loginuid not set, but this is expected". Suggested by Steve Langasek. * modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid does not exist, PAM_SESSION_ERR in case of any other error. (_pam_loginuid): Forward the PAM error code returned by set_loginuid.
* pam_access: fix debug level logging (ticket #19)Dmitry V. Levin2013-11-20
| | | | | * modules/pam_access/pam_access.c (group_match): Log the group token passed to the function, not an uninitialized data on the stack.
* pam_warn: log flags passed to the module (ticket #25)Dmitry V. Levin2013-11-20
| | | | | | | | * modules/pam_warn/pam_warn.c (log_items): Take "flags" argument and log it using pam_syslog. (pam_sm_authenticate, pam_sm_setcred, pam_sm_chauthtok, pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session): Pass "flags" argument to log_items.
* pam_securetty: check return value of fgetsDmitry V. Levin2013-11-20
| | | | | | | | Checking return value of fgets not only silences the warning from glibc but also leads to a cleaner code. * modules/pam_securetty/pam_securetty.c (securetty_perform_check): Check return value of fgets.
* pam_lastlog: fix format stringDmitry V. Levin2013-11-20
| | | | | | | | gcc -Wformat justly complains: format '%d' expects argument of type 'int', but argument 5 has type 'time_t' * modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Fix format string.
* If the correct loginuid is set already, skip writing it.Darren Tucker2013-11-20
| | | | | modules/pam_loginuid/pam_loginuid.c (set_loginuid): Read the current loginuid and skip writing if already correctly set.
* Always ask for old password if changing NIS accountThorsten Kukuk2013-11-11
| | | | | * modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): ask for old password if NIS account.
* Allow DES as compatibility option for /etc/login.defsThorsten Kukuk2013-11-08
| | | | * modules/pam_unix/support.h: Add UNIX_DES
* Make pam_tty_audit work with old kernels not supporting log_passwd.Tomas Mraz2013-10-14
| | | | | | | modules/pam_tty_audit/pam_tty_audit.c(nl_recv): Pad result with zeros if message is short from older kernel. Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
* Fix pam_tty_audit log_passwd support and regression.Tomas Mraz2013-09-25
| | | | | modules/pam_tty_audit/pam_tty_audit.c: Add missing "config.h" include. (pam_sm_open_session): Always copy the old status as initialization of new.
* Check return value of setuid to remove glibc warnings.Thorsten Kukuk2013-09-16
| | | | | * modules/pam_unix/pam_unix_acct.c: Check setuid return value. * modules/pam_unix/support.c: Likewise.
* Write to *rounds only if non-NULL.Tomas Mraz2013-09-13
| | | | modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL.
* Add missing ')'Tomas Mraz2013-09-13
| | | | modules/pam_unix/pam_unix_passwd.c: Add missing ')'..
* Extend pam_exec by stdout and type= options (ticket #8):Thorsten Kukuk2013-09-04
| | | | | * modules/pam_exec/pam_exec.c: Add stdout and type= option * modules/pam_exec/pam_exec.8.xml: Document new options
* Fix compile errorThorsten Kukuk2013-08-30
| | | | * modules/pam_unix/pam_unix_acct.c: fix last change
* Restart waitpid if it returns with EINTR (ticket #17)Thorsten Kukuk2013-08-29
| | | | | | * modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop. * modules/pam_unix/pam_unix_passwd.c: Likewise. * modules/pam_unix/support.c: Likewise.
* Apply the exclusive check in pam_sepermit only when loginuid not set.Tomas Mraz2013-08-23
| | | | | | * modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from /proc (sepermit_match): Apply the exclusive check only when loginuid not set.
* pam_rootok: fix linking in --enable-audit modeDmitry V. Levin2013-07-01
| | | | | | | pam_rootok.c explicitly uses functions from libaudit, so the module has to be linked with the library. * modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Add @LIBAUDIT@.
* pam_tty_audit: fix a typo that crept in during patch reviewRichard Guy Briggs2013-07-01
| | | | | | | | | | * modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Replace all occurrences of HAVE_AUDIT_TTY_STATUS_LOG_PASSWD with HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD. * configure.in (HAVE_AUDIT_TTY_STATUS_LOG_PASSWD): Remove. Signed-off-by: Richard Guy Briggs <rgb@redhat.com> Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
* pam_tty_audit: add an option to control logging of passwords: log_passwdRichard Guy Briggs2013-06-21
| | | | | | | | | | | | | | | | | | Most commands are entered one line at a time and processed as complete lines in non-canonical mode. Commands that interactively require a password, enter canonical mode with echo set to off to do this. This feature (icanon and !echo) can be used to avoid logging passwords by audit while still logging the rest of the command. Adding a member to the struct audit_tty_status passed in by pam_tty_audit allows control of logging passwords per task. * configure.in: autoconf bits to conditionally add support at compile time depending on struct audit_tty_status kernel header version. * modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module log_passwd option. * modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added "log_passwd" option parsing. Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
* Man page fix - unix_update runs in the permissive mode as well.Tomas Mraz2013-06-20
| | | | | modules/pam_unix/unix_update.8.xml: unix_update helper runs in the permissive mode as well.
* Use hash from /etc/login.defs as default if noThorsten Kukuk2013-06-18
| | | | | | | | | other one is specified as argument. * modules/pam_unix/support.c: Add search_key, call from __set_ctrl * modules/pam_unix/support.h: Add define for /etc/login.defs * modules/pam_unix/pam_unix.8.xml: Document new behavior. * modules/pam_umask/pam_umask.c: Add missing NULL pointer check
* pam_access: better not change the default function used to get domain name.Tomas Mraz2013-04-12
| | | | | | modules/pam_access/pam_access.c (netgroup_match): As we did not use yp_get_default_domain() in the 1.1 branch due to typo in ifdef we should use it only as fallback.
* Fix strict aliasing issue in MD5 implementations.Tomas Mraz2013-03-28
| | | | | modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment. modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment.
* pam_lastlog: Do not fail on short read if btmp is corrupted.Tomas Mraz2013-03-22
| | | | | modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail on short read or read error.