| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change introduces pam_modutil_sanitize_helper_fds - a new function
that redirects standard descriptors and closes all other descriptors.
pam_modutil_sanitize_helper_fds supports three types of input and output
redirection:
- PAM_MODUTIL_IGNORE_FD: do not redirect at all.
- PAM_MODUTIL_PIPE_FD: redirect to a pipe. For stdin, it is implemented
by creating a pipe, closing its write end, and redirecting stdin to
its read end. Likewise, for stdout/stderr it is implemented by
creating a pipe, closing its read end, and redirecting to its write
end. Unlike stdin redirection, stdout/stderr redirection to a pipe
has a side effect that a process writing to such descriptor should be
prepared to handle SIGPIPE appropriately.
- PAM_MODUTIL_NULL_FD: redirect to /dev/null. For stdin, it is
implemented via PAM_MODUTIL_PIPE_FD because there is no functional
difference. For stdout/stderr, it is classic redirection to
/dev/null.
PAM_MODUTIL_PIPE_FD is usually more suitable due to linux kernel
security restrictions, but when the helper process might be writing to
the corresponding descriptor and termination of the helper process by
SIGPIPE is not desirable, one should choose PAM_MODUTIL_NULL_FD.
* libpam/pam_modutil_sanitize.c: New file.
* libpam/Makefile.am (libpam_la_SOURCES): Add it.
* libpam/include/security/pam_modutil.h (pam_modutil_redirect_fd,
pam_modutil_sanitize_helper_fds): New declarations.
* libpam/libpam.map (LIBPAM_MODUTIL_1.1.9): New interface.
* modules/pam_exec/pam_exec.c (call_exec): Use
pam_modutil_sanitize_helper_fds.
* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Likewise.
* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary):
Likewise.
* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
* modules/pam_xauth/pam_xauth.c (run_coprocess): Likewise.
* modules/pam_unix/support.h (MAX_FD_NO): Remove.
|
| | |
| |
| |
| |
| |
| |
| | |
Similar issue in pam_unix was fixed by commit Linux-PAM-0-73~8.
* modules/pam_xauth/pam_xauth.c (run_coprocess): In the parent process,
close the read end of input pipe after writing to its write end.
|
| | |
| |
| |
| |
| | |
* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Log those errors
during /proc/self/loginuid update that are not ignored.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
There is no need to copy strings passed as arguments to execve,
the only potentially noticeable effect of using strdup/x_strdup
would be a malformed argument list in case of memory allocation error.
Also, x_strdup, being a thin wrapper around strdup, is of no benefit
when its argument is known to be non-NULL, and should not be used in
such cases.
* modules/pam_cracklib/pam_cracklib.c (password_check): Use strdup
instead of x_strdup, the latter is of no benefit in this case.
* modules/pam_ftp/pam_ftp.c (lookup): Likewise.
* modules/pam_userdb/pam_userdb.c (user_lookup): Likewise.
* modules/pam_userdb/pam_userdb.h (x_strdup): Remove.
* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Do not use
x_strdup for strings passed as arguments to execve.
* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Likewise.
* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary): Likewise.
* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
(_unix_verify_password): Use strdup instead of x_strdup, the latter
is of no benefit in this case.
* modules/pam_xauth/pam_xauth.c (run_coprocess): Do not use strdup for
strings passed as arguments to execv.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Starting with commit Linux-PAM-0-77-28-g0b3e583 that introduced hashed
passwords support in pam_userdb, hashes are compared case-insensitively.
This bug leads to accepting hashes for completely different passwords in
addition to those that should be accepted.
Additionally, commit Linux-PAM-1_1_6-13-ge2a8187 that added support for
modern password hashes with different lengths and settings, did not
update the hash comparison accordingly, which leads to accepting
computed hashes longer than stored hashes when the latter is a prefix
of the former.
* modules/pam_userdb/pam_userdb.c (user_lookup): Reject the computed
hash whose length differs from the stored hash length.
Compare computed and stored hashes case-sensitively.
Fixes CVE-2013-7041.
Bug-Debian: http://bugs.debian.org/731368
|
| | |
| |
| |
| |
| | |
* modules/pam_xauth/pam_xauth.c (run_coprocess): Log errors from pipe()
and fork() calls.
|
| | |
| |
| |
| |
| | |
* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Move loginuid
buffer initialization closer to its first use.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
ut_user member of struct utmp is a string that is not necessarily
null-terminated, so extra care should be taken when using it.
* modules/pam_limits/pam_limits.c (check_logins): Convert ut->UT_USER to
a null-terminated string and consistently use it where a null-terminated
string is expected.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Before pam_mkhomedir helper was introduced in commit
7b14630ef39e71f603aeca0c47edf2f384717176, pam_mkhomedir was checking for
existance and creating the same directory - the home directory of the
user NAME returned by pam_get_item(PAM_USER).
The change in behaviour accidentally introduced along with
mkhomedir_helper is not consistent: while the module still checks for
getpwnam(NAME)->pw_dir, the directory created by mkhomedir_helper is
getpwnam(getpwnam(NAME)->pw_name)->pw_dir, which is not necessarily
the same as the directory being checked.
This change brings check and creation back in sync, both handling
getpwnam(NAME)->pw_dir.
* modules/pam_mkhomedir/pam_mkhomedir.c (create_homedir): Replace
"struct passwd *" argument with user's name and home directory.
Pass user's name to MKHOMEDIR_HELPER.
(pam_sm_open_session): Update create_homedir call.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Original idea by Christopher Hailey
* modules/pam_limits/pam_limits.c (check_logins): Use kill() to
detect if pid of the utmp entry is still running and ignore the entry
if it is not.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The previous patch to support user namespaces works fine with containers
that are started from a desktop/terminal session but fails when dealing
with containers that were started from a remote session such as ssh.
I haven't looked at the exact reason for that in the kernel but on the
userspace side of things, the difference is that containers started from
an ssh session will happily let pam open /proc/self/loginuid read-write,
will let it read its content but will then fail with EPERM when trying
to write to it.
So to make the userns support bullet proof, this commit moves the userns
check earlier in the function (which means a small performance impact as
it'll now happen everytime on kernels that have userns support) and will
set rc = PAM_IGNORE instead of rc = PAM_ERROR.
The rest of the code is still executed in the event that PAM is run on a
future kernel where we have some kind of audit namespace that includes a
working loginuid.
Signed-off-by: Stéphane Graber <stgraber@ubuntu.com>
Signed-off-by: Steve Langasek <vorlon@debian.org>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_namespace/pam_namespace.c: call setuid() before execing the
namespace init script, so that scripts run with maximum privilege regardless
of the shell implementation.
* modules/pam_namespace/namespace.init: drop the '-p' bashism from the
shebang line
This is not a POSIX standard option, it's a bashism. The bash manpage says
that it's used to prevent the effective user id from being reset to the real
user id on startup, and to ignore certain unsafe variables from the
environment.
In the case of pam_namespace, the -p is not necessary for environment
sanitizing because the PAM module (properly) sanitizes the environment
before execing the script.
The stated reason given in CVS history for passing -p is to "preserve euid
when called from setuid apps (su, newrole)." This should be done more
portably, by calling setuid() before spawning the shell.
Signed-off-by: Steve Langasek <vorlon@debian.org>
Bug-Debian: http://bugs.debian.org/624842
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1081323
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When running pam_loginuid in a container using the user namespaces, even
uid 0 isn't allowed to set the loginuid property.
This change catches the EACCES from opening loginuid, checks if the user
is in the host namespace (by comparing the uid_map with the host's one)
and only if that's the case, sets rc to 1.
Should uid_map not exist or be unreadable for some reason, it'll be
assumed that the process is running on the host's namespace.
The initial reason behind this change was failure to ssh into an
unprivileged container (using a 3.13 kernel and current LXC) when using
a standard pam profile for sshd (which requires success from
pam_loginuid).
I believe this solution doesn't have any drawback and will allow people
to use unprivileged containers normally. An alternative would be to have
all distros set pam_loginuid as optional but that'd be bad for any of
the other potential failure case which people may care about.
There has also been some discussions to get some of the audit features
tied with the user namespaces but currently none of that has been merged
upstream and the currently proposed implementation doesn't cover
loginuid (nor is it clear how this should even work when loginuid is set
as immutable after initial write).
Signed-off-by: Steve Langasek <vorlon@debian.org>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When /proc/self/loginuid does not exist, return PAM_IGNORE instead of
PAM_SUCCESS, so that we can distinguish between "loginuid set
successfully" and "loginuid not set, but this is expected".
Suggested by Steve Langasek.
* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Change return
code semantics: return PAM_SUCCESS on success, PAM_IGNORE when loginuid
does not exist, PAM_SESSION_ERR in case of any other error.
(_pam_loginuid): Forward the PAM error code returned by set_loginuid.
|
| | |
| |
| |
| |
| | |
* modules/pam_access/pam_access.c (group_match): Log the group token
passed to the function, not an uninitialized data on the stack.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_warn/pam_warn.c (log_items): Take "flags" argument and
log it using pam_syslog.
(pam_sm_authenticate, pam_sm_setcred, pam_sm_chauthtok,
pam_sm_acct_mgmt, pam_sm_open_session, pam_sm_close_session): Pass
"flags" argument to log_items.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Checking return value of fgets not only silences the warning from glibc
but also leads to a cleaner code.
* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
Check return value of fgets.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
gcc -Wformat justly complains:
format '%d' expects argument of type 'int', but argument 5 has type 'time_t'
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Fix format
string.
|
| | |
| |
| |
| |
| | |
modules/pam_loginuid/pam_loginuid.c (set_loginuid): Read the current loginuid
and skip writing if already correctly set.
|
| | |
| |
| |
| |
| | |
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): ask
for old password if NIS account.
|
| | |
| |
| |
| | |
* modules/pam_unix/support.h: Add UNIX_DES
|
| | |
| |
| |
| |
| |
| |
| | |
modules/pam_tty_audit/pam_tty_audit.c(nl_recv): Pad result with zeros
if message is short from older kernel.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
|
| | |
| |
| |
| |
| | |
modules/pam_tty_audit/pam_tty_audit.c: Add missing "config.h" include.
(pam_sm_open_session): Always copy the old status as initialization of new.
|
| |\| |
|
| | |
| |
| |
| |
| | |
* modules/pam_unix/pam_unix_acct.c: Check setuid return value.
* modules/pam_unix/support.c: Likewise.
|
| | |
| |
| |
| | |
modules/pam_unix/support.c(_set_ctrl): Write to *rounds only if non-NULL.
|
| | |
| |
| |
| | |
modules/pam_unix/pam_unix_passwd.c: Add missing ')'..
|
| | |
| |
| |
| |
| | |
* modules/pam_exec/pam_exec.c: Add stdout and type= option
* modules/pam_exec/pam_exec.8.xml: Document new options
|
| | |
| |
| |
| | |
* modules/pam_unix/pam_unix_acct.c: fix last change
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_unix/pam_unix_acct.c: run waitpid in a while loop.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_unix/support.c: Likewise.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_sepermit/pam_sepermit.c(get_loginuid): Read loginuid from
/proc
(sepermit_match): Apply the exclusive check only when loginuid not set.
|
| | |
| |
| |
| |
| |
| |
| | |
pam_rootok.c explicitly uses functions from libaudit, so the module has
to be linked with the library.
* modules/pam_rootok/Makefile.am (pam_rootok_la_LIBADD): Add @LIBAUDIT@.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Replace
all occurrences of HAVE_AUDIT_TTY_STATUS_LOG_PASSWD with
HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD.
* configure.in (HAVE_AUDIT_TTY_STATUS_LOG_PASSWD): Remove.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Most commands are entered one line at a time and processed as complete lines
in non-canonical mode. Commands that interactively require a password, enter
canonical mode with echo set to off to do this. This feature (icanon and
!echo) can be used to avoid logging passwords by audit while still logging the
rest of the command. Adding a member to the struct audit_tty_status passed in
by pam_tty_audit allows control of logging passwords per task.
* configure.in: autoconf bits to conditionally add support at compile time
depending on struct audit_tty_status kernel header version.
* modules/pam_tty_audit/pam_tty_audit.8.xml: Document new pam_tty_audit module
log_passwd option.
* modules/pam_tty_audit/pam_tty_audit.c: (pam_sm_open_session): Added
"log_passwd" option parsing.
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
|
| | |
| |
| |
| |
| | |
modules/pam_unix/unix_update.8.xml: unix_update helper runs in the
permissive mode as well.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
other one is specified as argument.
* modules/pam_unix/support.c: Add search_key, call from __set_ctrl
* modules/pam_unix/support.h: Add define for /etc/login.defs
* modules/pam_unix/pam_unix.8.xml: Document new behavior.
* modules/pam_umask/pam_umask.c: Add missing NULL pointer check
|
| | |
| |
| |
| |
| |
| | |
modules/pam_access/pam_access.c (netgroup_match): As we did not use
yp_get_default_domain() in the 1.1 branch due to typo in ifdef
we should use it only as fallback.
|
| | |
| |
| |
| |
| | |
modules/pam_namespace/md5.c (MD5Final): Use memcpy instead of assignment.
modules/pam_unix/md5.c (MD5Final): Use memcpy instead of assignment.
|
| | |
| |
| |
| |
| | |
modules/pam_lastlog/pam_lastlog.c (last_login_failed): Just warn, not fail
on short read or read error.
|
| | |
| |
| |
| |
| | |
modules/pam_rootok/pam_rootok.c (log_callback, selinux_check_root): New functions.
(check_for_root): Use the selinux_check_root() instead of checkPasswdAccess.
|
| | |
| |
| |
| |
| | |
modules/pam_pwhistory/opasswd.c (compare_password): Add check for crypt() NULL return.
modules/pam_unix/bigcrypt.c (bigcrypt): Likewise.
|
| | |
| |
| |
| |
| | |
modules/pam_userdb/pam_userdb.c (user_lookup): Allow password hashes
longer than 13 characters and long salt.
|
| | |
| |
| |
| |
| | |
modules/pam_access/pam_access.c (netgroup_match): Fix typo
in #ifdef HAVE_YP_GET_DEFAULT_DOMAIN.
|
| | |
| |
| |
| |
| | |
modules/pam_cracklib/pam_cracklib.8.xml: Add note about checks
when run as root.
|
| | |
| |
| |
| |
| | |
modules/pam_selinux/pam_selinux.c (manual_context): Drop function.
(compute_exec_context): Drop manual_context() call.
|
| | |
| |
| |
| | |
modules/pam_limits/limits.conf: Fix grammatical mistake.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
glibc's <sys/wait.h> starting with commit
http://sourceware.org/git/?p=glibc.git;a=commitdiff;h=glibc-2.15-231-gd94a467
does not include <sys/resource.h> for POSIX 2008 conformance reasons, so
when pam is being built with SELinux support enabled, pam_unix_passwd.c
uses getrlimit(2) and therefore should include <sys/resource.h> without
relying on other headers.
* modules/pam_unix/pam_unix_passwd.c: Include <sys/resource.h>.
Reported-by: Guido Trentalancia <guido@trentalancia.com>
Reported-by: "Jory A. Pratt" <anarchy@gentoo.org>
Reported-by: Diego Elio Pettenò <flameeyes@flameeyes.eu>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
modules/pam_namespace/pam_namespace.h: Add mount_opts member to polydir
structure.
modules/pam_namespace/pam_namespace.c (del_polydir): Free the mount_opts.
(parse_method): Parse the mntopts flag.
(ns_setup): Pass the mount_opts to mount().
modules/pam_namespace/namespace.conf.5.xml: Document the mntopts flag.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
modules/pam_selinux/pam_selinux.c (send_audit_message): Obtain tty and
rhost from PAM items and pass them to audit.
modules/pam_tally2/pam_tally2.c (tally_check): Obtain tty and
rhost from PAM items and pass them to audit.
(main): Obtain tty name of stdin and pass it to audit.
|
| | |
| |
| |
| |
| |
| |
| | |
modules/pam_namespace/Makefile.am: Add missing $(DESTDIR) when making
$(namespaceddir) on install.
modules/pam_sepermit/Makefile.am: Add missing $(DESTDIR) when making
$(sepermitlockdir) on install.
|
