| Commit message (Collapse) | Author | Age |
|---|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Matthias Gerstner found the following issue:
<quote>
So this pam_setquota module iterates over all mounted file systems using
`setmntent()` and `getmntent()`. It tries to find the longest match of
a file system mounted on /home/$USER or above (except when the
fs=/some/path parameter is passed to the pam module).
The thing is that /home/$USER is owned by the unprivileged user. And
there exist tools like fusermount from libfuse which is by default
installed setuid-root for everybody. fusermount allows to mount a FUSE
file system using an arbitrary "source device name" as the unprivileged
user.
Thus considering the following use case:
1) there is only the root file system (/) or a file system is mounted on
/home, but not on /home/$USER.
2) the attacker mounts a fake FUSE file system over its own home directory:
```
user $ export _FUSE_COMMFD=0
user $ fusermount $HOME -ononempty,fsname=/dev/sda1
```
This will result in a mount entry in /proc/mounts looking like this:
```
/dev/sda1 on /home/$USER type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
```
3) when the attacker now logs in with pam_setquota configured then
pam_setquota will identify /dev/sda1 and the file system where
to apply the user's quota on.
As a result an unprivileged user has full control over onto which block
device the quota is applied.
</quote>
If the user's $HOME is on a separate partition, setting a quota on the
user's $HOME does not really make sense, so this patch skips mountpoints
equal to the user's $HOME, preventing the above mentioned bug as
a side-effect (or vice-versa).
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Co-authored-by: Tomáš Mráz <tmraz@redhat.com>
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/230
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pam_debug used to invoke pam_get_user and set PAM_USER to "nobody" when
pam_get_user returns an empty string as the user name. When either of
these functions returned an error value, it used to return that error
value. This hasn't been documented, and I couldn't find any rationale
for this behaviour.
* modules/pam_debug/pam_debug.c (pam_sm_authenticate): Do not invoke
pam_get_user and pam_set_item.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_faillock/pam_faillock.c (get_pam_user): Downgrade
the syslog level for diagnostics of errors returned by
pam_modutil_getpwnam for users returned by pam_get_user
from LOG_ERR to LOG_NOTICE.
* modules/pam_keyinit/pam_keyinit.c (do_keyinit): Likewise.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
* modules/pam_sepermit/pam_sepermit.c (sepermit_lock): Likewise.
* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
pam_sm_close_session): Likewise.
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Downgrade
the syslog level for diagnostics of errors returned by
pam_modutil_getpwnam for users returned by pam_get_user
from LOG_WARNING to LOG_NOTICE.
Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_access/pam_access.c (pam_sm_authenticate): Downgrade
the syslog level for pam_get_user errors from LOG_ERR to LOG_NOTICE.
* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
* modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
* modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
* modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
* modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
* modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
* modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
* modules/pam_userdb/pam_userdb.c (pam_sm_authenticate,
pam_sm_acct_mgmt): Likewise.
* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
pam_sm_close_session): Likewise.
* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
Downgrade the syslog level for pam_get_user errors from LOG_WARNING
to LOG_NOTICE.
* modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_localuser/tst-pam_localuser-retval.c: New file.
* modules/pam_localuser/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_localuser_retval_LDADD): New variables.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.c (check_user_in_passwd): New
function.
(pam_sm_authenticate): Use it.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Downgrade
the syslog level for errors related to pam_get_user from LOG_ERR to
LOG_NOTICE.
Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Also, remove unused MODULE_NAME macro.
* modules/pam_localuser/pam_localuser.c: Stop including unused header
files.
(MODULE_NAME): Remove.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
pam_get_user is guaranteed to return one of the following values:
PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
PAM_SERVICE_ERR.
* modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
new return values.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Give the application a chance to handle PAM_INCOMPLETE.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
PAM_INCOMPLETE instead of PAM_SERVICE_ERR when pam_get_user returns
PAM_CONV_AGAIN.
* modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
it.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Since user name is untrusted input, it should be validated earlier
rather than later.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Open
the passwd file after user name validation.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As BUFSIZ is the buffer size used in stdio, it must be an efficient size
for the line buffer. Also, it's larger than LINE_MAX used as the line
buffer size before this change, effectively raising the maximum user
name length supported by this module.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Replace
LINE_MAX with BUFSIZ.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Before this change, a long line in the passwd file used to be treated as
several lines which could potentially result to false match and,
consequently, to incorrect PAM_SUCCESS return value.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Handle
long lines in passwd files properly.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
copy the user name into a temporary buffer, use the user name itself in
comparisons.
|
| | |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Log
unrecognized options.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
When passwd file cannot be opened or the user name either cannot be
obtained or is not valid, return PAM_SERVICE_ERR instead of
PAM_SYSTEM_ERR.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Too long user names used to be truncated which could potentially result
to false match and, consequently, to incorrect PAM_SUCCESS return value.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
PAM_SERVICE_ERR if the user name is too long.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
"root:x" is not a local user name even if the passwd file contains
a line starting with "root:x:".
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
PAM_PERM_DENIED if the user name contains a colon.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c: New file.
* modules/pam_mkhomedir/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_mkhomedir_retval_LDADD): New variables.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_faildelay/tst-pam_faildelay-retval.c: New file.
* modules/pam_faildelay/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_faildelay_retval_LDADD): New variables.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_rootok/tst-pam_rootok-retval.c: New file.
* modules/pam_rootok/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_rootok_retval_LDADD): New variables.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_nologin/tst-pam_nologin-retval.c: New file.
* modules/pam_nologin/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_nologin_retval_LDADD): New variables.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_echo/tst-pam_echo-retval.c: New file.
* modules/pam_echo/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_echo_retval_LDADD): New variables.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_warn/tst-pam_warn-retval.c: New file.
* modules/pam_warn/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_warn_retval_LDADD): New variables.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_debug/tst-pam_debug-retval.c: New file.
* modules/pam_debug/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_debug_retval_LDADD): New variables.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_permit/tst-pam_permit-retval.c: New file.
* modules/pam_permit/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_permit_retval_LDADD): New variables.
|
| | |
| |
| |
| |
| |
| | |
* modules/pam_deny/tst-pam_deny-retval.c: New file.
* modules/pam_deny/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_deny_retval_LDADD): New variables.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pam_modutil_getpwnam
pam_modutil_getpwnam is perfectly capable of handling empty strings as
user names, no need to double check that.
* modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check
the user name for emptyness before passing it to pam_modutil_getpwnam.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise.
* modules/pam_shells/pam_shells.c (perform_check): Likewise.
* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
|
| | |
| |
| |
| |
| | |
* modules/pam_usertype/pam_usertype.8.xml (RETURN VALUES): Document
PAM_BUF_ERR and PAM_CONV_ERR return values.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Give the application a chance to handle PAM_INCOMPLETE.
* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Return
PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
PAM_CONV_AGAIN.
* modules/pam_usertype/pam_usertype.8.xml (RETURN VALUES): Document it.
|
| | |
| |
| |
| |
| | |
* modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document
PAM_BUF_ERR and PAM_CONV_ERR return values.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Give the application a chance to handle PAM_INCOMPLETE.
* modules/pam_faillock/pam_faillock.c (get_pam_user): Return
PAM_INCOMPLETE instead of PAM_CONV_AGAIN when pam_get_user returns
PAM_CONV_AGAIN.
* modules/pam_faillock/pam_faillock.8.xml (RETURN VALUES): Document it.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
pam_get_user is guaranteed to return one of the following values:
PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.
* modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Do not
replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
PAM_SERVICE_ERR.
* modules/pam_securetty/pam_securetty.8.xml (RETURN VALUES): Document
new return values.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If pam_get_user returned PAM_SUCCESS, the user name is guaranteed
to be a valid C string, no need to double check that.
* modules/pam_access/pam_access.c (pam_sm_authenticate): Do not check
for NULL the user name returned by pam_get_user when the latter returned
PAM_SUCCESS.
* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
* modules/pam_debug/pam_debug.c (pam_sm_authenticate): Likewise.
* modules/pam_filter/pam_filter.c (process_args): Likewise.
* modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
* modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Likewise.
* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
* modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
* modules/pam_permit/pam_permit.c (pam_sm_authenticate): Likewise.
* modules/pam_pwhistory/pam_pwhistory.c (pam_sm_chauthtok): Likewise.
* modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
* modules/pam_securetty/pam_securetty.c (pam_sm_authenticate): Likewise.
* modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
* modules/pam_shells/pam_shells.c (perform_check): Likewise.
* modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
* modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
* modules/pam_timestamp/pam_timestamp.c (get_timestamp_name): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
* modules/pam_unix/pam_unix_auth.c (pam_sm_authenticate): Likewise.
* modules/pam_unix/pam_unix_passwd.c (pam_sm_chauthtok): Likewise.
* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
* modules/pam_wheel/pam_wheel.c (perform_check): Likewise.
* modules/pam_userdb/pam_userdb.c (pam_sm_authenticate, pam_sm_acct_mgmt):
Likewise.
|
| | |
| |
| |
| |
| | |
* modules/pam_umask/pam_umask.8.xml (RETURN VALUES): Document
PAM_BUF_ERR, PAM_CONV_ERR, and PAM_INCOMPLETE return values.
|
| | |
| |
| |
| |
| | |
* modules/pam_exec/pam_exec.8.xml (RETURN VALUES): Document
PAM_BUF_ERR, PAM_CONV_ERR, and PAM_INCOMPLETE return values.
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Following the bad example in pam_mkhomedir module, from the very
beginning pam_setquota module used to return PAM_CRED_INSUFFICIENT
when pam_modutil_getpwnam() returned an error. Fix this now
by changing the return value to PAM_USER_UNKNOWN.
* modules/pam_setquota/pam_setquota.c (pam_sm_open_session): Return
PAM_USER_UNKNOWN instead of PAM_CRED_INSUFFICIENT.
* modules/pam_setquota/pam_setquota.8.xml (PAM_CRED_INSUFFICIENT):
Replace with PAM_USER_UNKNOWN.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
From the very beginning pam_mkhomedir module used to return
PAM_CRED_INSUFFICIENT when getpwnam() or pam_modutil_getpwnam()
returned an error. Fix this now by changing the return value
to PAM_USER_UNKNOWN.
* modules/pam_mkhomedir/mkhomedir_helper.c (main): Return
PAM_USER_UNKNOWN instead of PAM_CRED_INSUFFICIENT.
* modules/pam_mkhomedir/pam_mkhomedir.c (pam_sm_open_session): Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.8.xml (PAM_CRED_INSUFFICIENT):
Remove.
|
| | |
| |
| |
| |
| |
| | |
Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka
Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support
from Linux-PAM), PAM_SM_* macros have no effect.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Following the bad example in pam_succeed_if module, from the very
beginning pam_usertype used to override the default prompt used by
pam_get_user() with "login: ". Fix this now.
* modules/pam_usertype/pam_usertype.c (pam_sm_authenticate): Do not
request PAM_USER_PROMPT item, invoke pam_get_user() with the default
prompt.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
From the very beginning pam_succeed_if used to override the default
prompt used by pam_get_user() with "login: ". Fix this now.
* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Do not
request PAM_USER_PROMPT item, invoke pam_get_user() with the default
prompt.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
... and remove $(TESTS) from EXTRA_DIST.
The change is performed automatically using the following script:
sed -i -e 's/^TESTS = \(tst.*\)/dist_check_SCRIPTS = \1\nTESTS = $(dist_check_SCRIPTS)/' \
-e '/^EXTRA_DIST/ s/ \$(TESTS)//' modules/*/Makefile.am
|
| | |
| |
| |
| |
| |
| |
| | |
... and remove $(MANS) from EXTRA_DIST.
The change is performed automatically using the following script:
sed -i 's/^man_MANS/dist_&/; /^EXTRA_DIST/ s/ \$(MANS)//' modules/*/Makefile.am
|
| | |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_namespace/Makefile.am (service_DATA): New variable.
(install-data-local): Remove all commands related to servicedir.
(uninstall-local): Remove.
Fixes: 59812d1cf ("pam_namespace: secure tmp-inst directories")
|
| | |
| |
| |
| |
| |
| |
| | |
... and remove $(DATA) from EXTRA_DIST.
The change is performed automatically using the following script:
sed -i 's/^[a-z]*_DATA/dist_&/; /^EXTRA_DIST/ s/ \$(DATA)//' modules/*/Makefile.am
|
| | |
| |
| |
| |
| |
| |
| |
| | |
... and remove nodist_TESTS.
* modules/pam_timestamp/Makefile.am (nodist_TESTS): Remove.
(TESTS): Replace $(nodist_TESTS) with $(check_PROGRAMS).
(noinst_PROGRAMS): Rename to check_PROGRAMS.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
... and remove it from EXTRA_DIST
* modules/pam_timestamp/Makefile.am (EXTRA_DIST): Remove $(dist_TESTS).
(dist_TESTS): Rename to dist_check_SCRIPTS.
(TESTS): Replace $(dist_TESTS) with $(dist_check_SCRIPTS).
|
