| Commit message (Collapse) | Author | Age |
... | |
| |
| |
| |
| |
| |
| |
| | |
The retrieved context is just passed to libselinux functions and not
printed or otherwise made available to the outside, so a context
translation to human readable MCS/MLS labels is not needed.
(see man:setrans.conf(5))
|
| |
| |
| |
| |
| | |
libselinux 3.1 deprecated the typedef security_context_t.
Use the underlaying type.
|
| |
| |
| |
| |
| |
| |
| | |
These retrieved contexts are just passed to libselinux functions and not
printed or otherwise made available to the outside, so a context
translation to human readable MCS/MLS labels is not needed.
(see man:setrans.conf(5))
|
| |
| |
| |
| |
| | |
libselinux 3.1 deprecated the typedef security_context_t.
Use the underlaying type.
|
| |
| |
| |
| |
| |
| | |
The retrieved context is just passed to the libselinux function
'selinux_check_access()', so a context translation to human readable
MCS/MLS labels is not needed. (see man:setrans.conf(5))
|
| |
| |
| |
| |
| | |
libselinux 3.1 deprecated the typedef security_context_t.
Use the underlaying type.
|
| |
| |
| |
| |
| | |
The matchpathcon family is deprecated.
Use the selabel family.
|
| |
| |
| |
| |
| | |
libselinux 3.1 deprecated the typedef security_context_t.
Use the underlaying type.
|
| |
| |
| |
| |
| | |
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Add comment
about the reason for ignoring PAM_AUTHTOK_ERR.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The daysleft otherwise stays uninitialized if there is no shadow entry.
Regression from commit f5adefa.
Fixes #255
* modules/pam_unix/pam_unix_acct.c (pam_sm_acct_mgmt): Initialize daysleft.
|
| |
| |
| |
| |
| |
| |
| |
| | |
The purpose of the helper is to enable tighter confinement of login and
password changing services. The helper is thus called only when SELinux
is enabled on the system.
Resolves: https://github.com/linux-pam/linux-pam/pull/247
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ldv: rewrote commit message]
* modules/pam_unix/passverify.h (read_passwords): Remove prototype.
* modules/pam_unix/passverify.c (read_passwords): Move ...
* libpam/include/pam_inline.h: ... here, rename to pam_read_passwords,
add static inline qualifiers.
Include <unistd.h> and <errno.h>.
* modules/pam_unix/unix_chkpwd.c: Include "pam_inline.h".
(main): Replace read_passwords with pam_read_passwords.
* modules/pam_unix/unix_update.c: Include "pam_inline.h".
(set_password): Replace read_passwords with pam_read_passwords.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_unix/passverify.h (MAXPASS): Remove.
* modules/pam_unix/passverify.c (read_passwords): Replace MAXPASS
with PAM_MAX_RESP_SIZE.
* modules/pam_unix/pam_unix_passwd.c (_pam_unix_approve_pass): Likewise.
* modules/pam_unix/support.c (_unix_verify_password): Likewise.
* modules/pam_unix/unix_chkpwd.c (main): Likewise.
* modules/pam_unix/unix_update.c (set_password): Likewise.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Resolves: https://github.com/linux-pam/linux-pam/issues/148
Signed-off-by: Lucas Ramage <ramage.lucas@protonmail.com>
* modules/pam_stress/README: Remove.
* modules/pam_stress/README.xml: New file.
* modules/pam_stress/pam_stress.8.xml: Likewise.
* modules/pam_stress/Makefile.am (MAINTAINERCLEANFILES): Add
$(MANS) and README.
(EXTRA_DIST): Add $(XMLS).
(XMLS): Add README.xml and pam_stress.8.xml.
[HAVE_DOC] (dist_man_MANS): Add pam_stress.8.
[ENABLE_REGENERATE_MAN] (dist_noinst_DATA): Add README.
[ENABLE_REGENERATE_MAN]: Include $(top_srcdir)/Make.xml.rules.
* modules/pam_stress/.gitignore: Remove.
Resolves: https://github.com/linux-pam/linux-pam/pull/184
|
| |
| |
| |
| |
| |
| |
| |
| | |
[ldv: rewrote commit message]
* modules/pam_loginuid/pam_loginuid.c (set_loginuid): Do not pass to
strncmp the return value of pam_modutil_read in an unlikely case when
the latter fails to read from /proc/self/uid_map.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[ldv: rewrote commit message]
* modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Close just
opened file descriptor "srcfd" in an unlikely case when it cannot be
fstat'ed.
* modules/pam_namespace/pam_namespace.c (create_instance): Close just
opened file descriptor "fd" in an unlikely case when it cannot be
fstat'ed.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
CPPCHECK_WARNING (CWE-843):
error[va_end_missing]: va_list 'ap' was opened but not closed by
va_end().
[ldv: According to POSIX documentation, each invocation of va_start()
must be matched by a corresponding invocation of va_end().
According to the GNU libc documentation, "with most C compilers,
calling 'va_end' does nothing. This is always true in the GNU C
compiler. But you might as well call 'va_end' just in case your
program is someday compiled with a peculiar compiler."
The main reason for applying this change is to pacify static analysis
tools like cppcheck that insist on strict POSIX conformance in this
respect.]
|
| |
| |
| |
| | |
Resolves: https://github.com/linux-pam/linux-pam/pull/249
|
| | |
|
| |
| |
| |
| |
| |
| | |
* modules/pam_namespace/.gitignore: Add pam_namespace.service.
Complements: v1.4.0~247 ("pam_namespace: secure tmp-inst directories")
|
| |
| |
| |
| |
| |
| | |
* modules/pam_faillock/.gitignore: Add faillock.
Complements: v1.4.0~76 ("pam_faillock: New module for locking after multiple auth failures")
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Expose prctl(PR_SET_NO_NEW_PRIVS) as "nonewprivs" item.
The valid values are a boolean toggle 0/1 to keep semi-consistent
with the other numeric limits. It's slightly awkward as this is
an oddball relative to the other items in pam_limits but outside
of the item value itself this does seem at home in pam_limits.
Resolves: https://github.com/linux-pam/linux-pam/issues/224
Resolves: https://github.com/linux-pam/linux-pam/pull/225
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Taking a look at the time for the password prompt to appear it was
possible to determine if a user existed in a system. Solved it by
matching the runtime until the password prompt was shown by always
checking the password hash for an existing and a non-existing user.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Taking a look at the time for the password prompt to appear it was
possible to determine if a user existed in a system. Solved it by
matching the runtime until the password prompt was shown by always
checking the password hash for an existing and a non-existing user.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Nowadays, /run/faillock/$USER files have user:root ownership and 0600
permissions. This forces the process that writes to these files to have
CAP_DAC_OVERRIDE capabilites. Just by changing the permissions to 0660
the capability can be removed, which leads to a more secure system.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1661822
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use pam_modutil_check_user_in_passwd in pam_faillock.c instead of
fgetpwent_r which is not available on musl.
Resolves: https://github.com/linux-pam/linux-pam/issues/236
Resolves: https://github.com/linux-pam/linux-pam/pull/237
Fixes: http://autobuild.buildroot.org/results/0432736ffee376dd84757469434a4bbcfdcdaf4b
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
* modules/pam_localuser/pam_localuser.c: Include
<security/pam_modutil.h>.
(pam_sm_authenticate): Replace check_user_in_passwd with
pam_modutil_check_user_in_passwd.
(check_user_in_passwd): Rename to pam_modutil_check_user_in_passwd,
move to ...
* libpam/pam_modutil_check_user.c: ... new file.
* libpam/Makefile.am (libpam_la_SOURCES): Add pam_modutil_check_user.c.
* libpam/include/security/pam_modutil.h
(pam_modutil_check_user_in_passwd): New function declaration.
* libpam/libpam.map (LIBPAM_MODUTIL_1.4.1): New interface.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
|
|\| |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Matthias Gerstner found the following issue:
<quote>
So this pam_setquota module iterates over all mounted file systems using
`setmntent()` and `getmntent()`. It tries to find the longest match of
a file system mounted on /home/$USER or above (except when the
fs=/some/path parameter is passed to the pam module).
The thing is that /home/$USER is owned by the unprivileged user. And
there exist tools like fusermount from libfuse which is by default
installed setuid-root for everybody. fusermount allows to mount a FUSE
file system using an arbitrary "source device name" as the unprivileged
user.
Thus considering the following use case:
1) there is only the root file system (/) or a file system is mounted on
/home, but not on /home/$USER.
2) the attacker mounts a fake FUSE file system over its own home directory:
```
user $ export _FUSE_COMMFD=0
user $ fusermount $HOME -ononempty,fsname=/dev/sda1
```
This will result in a mount entry in /proc/mounts looking like this:
```
/dev/sda1 on /home/$USER type fuse (rw,nosuid,nodev,relatime,user_id=1000,group_id=100)
```
3) when the attacker now logs in with pam_setquota configured then
pam_setquota will identify /dev/sda1 and the file system where
to apply the user's quota on.
As a result an unprivileged user has full control over onto which block
device the quota is applied.
</quote>
If the user's $HOME is on a separate partition, setting a quota on the
user's $HOME does not really make sense, so this patch skips mountpoints
equal to the user's $HOME, preventing the above mentioned bug as
a side-effect (or vice-versa).
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Co-authored-by: Tomáš Mráz <tmraz@redhat.com>
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
Resolves: https://github.com/linux-pam/linux-pam/pull/230
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
pam_debug used to invoke pam_get_user and set PAM_USER to "nobody" when
pam_get_user returns an empty string as the user name. When either of
these functions returned an error value, it used to return that error
value. This hasn't been documented, and I couldn't find any rationale
for this behaviour.
* modules/pam_debug/pam_debug.c (pam_sm_authenticate): Do not invoke
pam_get_user and pam_set_item.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_faillock/pam_faillock.c (get_pam_user): Downgrade
the syslog level for diagnostics of errors returned by
pam_modutil_getpwnam for users returned by pam_get_user
from LOG_ERR to LOG_NOTICE.
* modules/pam_keyinit/pam_keyinit.c (do_keyinit): Likewise.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_listfile/pam_listfile.c (pam_sm_authenticate): Likewise.
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
* modules/pam_sepermit/pam_sepermit.c (sepermit_lock): Likewise.
* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
pam_sm_close_session): Likewise.
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Downgrade
the syslog level for diagnostics of errors returned by
pam_modutil_getpwnam for users returned by pam_get_user
from LOG_WARNING to LOG_NOTICE.
Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_access/pam_access.c (pam_sm_authenticate): Downgrade
the syslog level for pam_get_user errors from LOG_ERR to LOG_NOTICE.
* modules/pam_cracklib/pam_cracklib.c (_pam_unix_approve_pass): Likewise.
* modules/pam_ftp/pam_ftp.c (pam_sm_authenticate): Likewise.
* modules/pam_group/pam_group.c (pam_sm_setcred): Likewise.
* modules/pam_lastlog/pam_lastlog.c (pam_sm_authenticate): Likewise.
* modules/pam_loginuid/pam_loginuid.c (_pam_loginuid): Likewise.
* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
* modules/pam_nologin/pam_nologin.c (perform_check): Likewise.
* modules/pam_rhosts/pam_rhosts.c (pam_sm_authenticate): Likewise.
* modules/pam_sepermit/pam_sepermit.c (pam_sm_authenticate): Likewise.
* modules/pam_succeed_if/pam_succeed_if.c (pam_sm_authenticate): Likewise.
* modules/pam_tally/pam_tally.c (pam_get_uid): Likewise.
* modules/pam_tally2/pam_tally2.c (pam_get_uid): Likewise.
* modules/pam_time/pam_time.c (pam_sm_acct_mgmt): Likewise.
* modules/pam_tty_audit/pam_tty_audit.c (pam_sm_open_session): Likewise.
* modules/pam_umask/pam_umask.c (pam_sm_open_session): Likewise.
* modules/pam_userdb/pam_userdb.c (pam_sm_authenticate,
pam_sm_acct_mgmt): Likewise.
* modules/pam_usertype/pam_usertype.c (pam_usertype_get_uid): Likewise.
* modules/pam_xauth/pam_xauth.c (pam_sm_open_session,
pam_sm_close_session): Likewise.
* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
Downgrade the syslog level for pam_get_user errors from LOG_WARNING
to LOG_NOTICE.
* modules/pam_stress/pam_stress.c (pam_sm_authenticate): Likewise.
Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
|
| |
| |
| |
| |
| |
| | |
* modules/pam_localuser/tst-pam_localuser-retval.c: New file.
* modules/pam_localuser/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_localuser_retval_LDADD): New variables.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.c (check_user_in_passwd): New
function.
(pam_sm_authenticate): Use it.
|
| |
| |
| |
| |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Downgrade
the syslog level for errors related to pam_get_user from LOG_ERR to
LOG_NOTICE.
Suggested-by: Tomáš Mráz <tmraz@fedoraproject.org>
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
Also, remove unused MODULE_NAME macro.
* modules/pam_localuser/pam_localuser.c: Stop including unused header
files.
(MODULE_NAME): Remove.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Starting with commit c2c601f5340a59c5c62193d55b555d384380ea38,
pam_get_user is guaranteed to return one of the following values:
PAM_SUCCESS, PAM_BUF_ERR, PAM_CONV_AGAIN, or PAM_CONV_ERR.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
replace non-PAM_CONV_AGAIN error values returned by pam_get_user with
PAM_SERVICE_ERR.
* modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
new return values.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Give the application a chance to handle PAM_INCOMPLETE.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
PAM_INCOMPLETE instead of PAM_SERVICE_ERR when pam_get_user returns
PAM_CONV_AGAIN.
* modules/pam_localuser/pam_localuser.8.xml (RETURN VALUES): Document
it.
|
| |
| |
| |
| |
| |
| |
| |
| | |
Since user name is untrusted input, it should be validated earlier
rather than later.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Open
the passwd file after user name validation.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As BUFSIZ is the buffer size used in stdio, it must be an efficient size
for the line buffer. Also, it's larger than LINE_MAX used as the line
buffer size before this change, effectively raising the maximum user
name length supported by this module.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Replace
LINE_MAX with BUFSIZ.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Before this change, a long line in the passwd file used to be treated as
several lines which could potentially result to false match and,
consequently, to incorrect PAM_SUCCESS return value.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Handle
long lines in passwd files properly.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Do not
copy the user name into a temporary buffer, use the user name itself in
comparisons.
|
| |
| |
| |
| |
| | |
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Log
unrecognized options.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When passwd file cannot be opened or the user name either cannot be
obtained or is not valid, return PAM_SERVICE_ERR instead of
PAM_SYSTEM_ERR.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
PAM_SERVICE_ERR instead of PAM_SYSTEM_ERR.
|
| |
| |
| |
| |
| |
| |
| |
| | |
Too long user names used to be truncated which could potentially result
to false match and, consequently, to incorrect PAM_SUCCESS return value.
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
PAM_SERVICE_ERR if the user name is too long.
|
| |
| |
| |
| |
| |
| |
| |
| | |
"root:x" is not a local user name even if the passwd file contains
a line starting with "root:x:".
* modules/pam_localuser/pam_localuser.c (pam_sm_authenticate): Return
PAM_PERM_DENIED if the user name contains a colon.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_mkhomedir/tst-pam_mkhomedir-retval.c: New file.
* modules/pam_mkhomedir/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_mkhomedir_retval_LDADD): New variables.
|
| |
| |
| |
| |
| |
| | |
* modules/pam_faildelay/tst-pam_faildelay-retval.c: New file.
* modules/pam_faildelay/Makefile.am (TESTS): Add $(check_PROGRAMS).
(check_PROGRAMS, tst_pam_faildelay_retval_LDADD): New variables.
|