From a6f4ab0bebc76acf85cc0244bd21c1036009c28c Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Wed, 2 Jan 2019 12:24:44 -0800 Subject: fix-up commit for grafting svn history onto git history --- debian/patches-applied/055_pam_unix_nullok_secure | 196 ++++++++++++++++++++++ 1 file changed, 196 insertions(+) create mode 100644 debian/patches-applied/055_pam_unix_nullok_secure (limited to 'debian/patches-applied/055_pam_unix_nullok_secure') diff --git a/debian/patches-applied/055_pam_unix_nullok_secure b/debian/patches-applied/055_pam_unix_nullok_secure new file mode 100644 index 00000000..98e1909d --- /dev/null +++ b/debian/patches-applied/055_pam_unix_nullok_secure @@ -0,0 +1,196 @@ +Debian patch to add a new 'nullok_secure' option to pam_unix, which +accepts users with null passwords only when the applicant is connected +from a tty listed in /etc/securetty. + +Authors: Sam Hartman , + Steve Langasek + +Upstream status: not yet submitted + +Index: Linux-PAM/modules/pam_unix/support.c +=================================================================== +--- Linux-PAM/modules/pam_unix/support.c.orig ++++ Linux-PAM/modules/pam_unix/support.c +@@ -87,15 +87,22 @@ + /* now parse the arguments to this module */ + + while (argc-- > 0) { +- int j; ++ int j, sl; + + D(("pam_unix arg: %s", *argv)); + + for (j = 0; j < UNIX_CTRLS_; ++j) { +- if (unix_args[j].token +- && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) +- { +- break; ++ if (unix_args[j].token) { ++ sl = strlen(unix_args[j].token); ++ if (unix_args[j].token[sl-1] == '=') { ++ /* exclude argument from comparison */ ++ if (!strncmp(*argv, unix_args[j].token, sl)) ++ break; ++ } else { ++ /* compare full strings */ ++ if (!strcmp(*argv, unix_args[j].token)) ++ break; ++ } + } + } + +@@ -472,6 +479,17 @@ + if (salt) + _pam_delete(salt); + ++ if ((retval == 1) && on(UNIX_NULLOK_SECURE, ctrl)) { ++ int retval2; ++ const void *uttyname; ++ retval2 = pam_get_item(pamh, PAM_TTY, &uttyname); ++ if (retval2 != PAM_SUCCESS || uttyname == NULL) ++ return 0; ++ ++ if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) ++ return 0; ++ } ++ + return retval; + } + +@@ -692,7 +710,7 @@ + int salt_len = strlen(salt); + if (!salt_len) { + /* the stored password is NULL */ +- if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */ ++ if (_unix_blankpasswd(pamh, ctrl, name)) {/* this means we've succeeded */ + D(("user has empty password - access granted")); + retval = PAM_SUCCESS; + } else { +Index: Linux-PAM/modules/pam_unix/support.h +=================================================================== +--- Linux-PAM/modules/pam_unix/support.h.orig ++++ Linux-PAM/modules/pam_unix/support.h +@@ -87,8 +87,9 @@ + #define UNIX_MAX_PASS_LEN 23 /* internal, for compatibility only */ + #define UNIX_MIN_PASS_LEN 24 /* Min length for password */ + #define UNIX_OBSCURE_CHECKS 25 /* enable obscure checks on passwords */ ++#define UNIX_NULLOK_SECURE 26 /* NULL passwords allowed only on secure ttys */ + /* -------------- */ +-#define UNIX_CTRLS_ 26 /* number of ctrl arguments defined */ ++#define UNIX_CTRLS_ 27 /* number of ctrl arguments defined */ + + + static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = +@@ -105,7 +106,7 @@ + /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0x40}, + /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0x180), 0x80}, + /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0x180), 0x100}, +-/* UNIX__NONULL */ {NULL, _ALL_ON_, 0x200}, ++/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x1000000), 0x200}, + /* UNIX__QUIET */ {NULL, _ALL_ON_, 0x400}, + /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 0x800}, + /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 0x1000}, +@@ -122,6 +123,7 @@ + /* UNIX_MAX_PASS_LEN */ {"max=", _ALL_ON_, 0}, + /* UNIX_MIN_PASS_LEN */ {"min=", _ALL_ON_, 0x400000}, + /* UNIX_OBSCURE_CHECKS */ {"obscure", _ALL_ON_, 0x800000}, ++/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x1000000}, + }; + + #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) +@@ -157,6 +159,9 @@ + ,const void **pass); + extern int _unix_shadowed(const struct passwd *pwd); + ++extern int _pammodutil_tty_secure(const pam_handle_t *pamh, ++ const char *uttyname); ++ + extern struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user); + + extern unsigned int pass_min_len; +Index: Linux-PAM/modules/pam_unix/Makefile.am +=================================================================== +--- Linux-PAM/modules/pam_unix/Makefile.am.orig ++++ Linux-PAM/modules/pam_unix/Makefile.am +@@ -44,6 +44,9 @@ + pam_unix_auth.c pam_unix_passwd.c pam_unix_sess.c support.c \ + yppasswd_xdr.c md5_good.c md5_broken.c obscure.c + ++pam_unix_la_LIBADD = \ ++ ../pam_securetty/tty_secure.lo ++ + bigcrypt_SOURCES = bigcrypt.c bigcrypt_main.c + bigcrypt_CFLAGS = $(AM_CFLAGS) + bigcrypt_LDFLAGS = @LIBCRYPT@ +Index: Linux-PAM/modules/pam_unix/README +=================================================================== +--- Linux-PAM/modules/pam_unix/README.orig ++++ Linux-PAM/modules/pam_unix/README +@@ -57,7 +57,16 @@ + + The default action of this module is to not permit the user access to a + service if their official password is blank. The nullok argument overrides +- this default. ++ this default and allows any user with a blank password to access the ++ service. ++ ++nullok_secure ++ ++ The default action of this module is to not permit the user access to a ++ service if their official password is blank. The nullok_secure argument ++ overrides this default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of the values ++ found in /etc/securetty. + + try_first_pass + +Index: Linux-PAM/modules/pam_unix/pam_unix.8 +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix.8.orig ++++ Linux-PAM/modules/pam_unix/pam_unix.8 +@@ -62,7 +62,14 @@ + .RS 4 + The default action of this module is to not permit the user access to a service if their official password is blank\. The + \fBnullok\fR +-argument overrides this default\. ++argument overrides this default and allows any user with a blank password to access the service\. ++.RE ++.PP ++\fBnullok_secure\fR ++.RS 4 ++The default action of this module is to not permit the user access to a service if their official password is blank\. The ++\fBnullok_secure\fR ++argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\. + .RE + .PP + \fBtry_first_pass\fR +Index: Linux-PAM/modules/pam_unix/pam_unix.8.xml +=================================================================== +--- Linux-PAM/modules/pam_unix/pam_unix.8.xml.orig ++++ Linux-PAM/modules/pam_unix/pam_unix.8.xml +@@ -135,7 +135,24 @@ + + The default action of this module is to not permit the + user access to a service if their official password is blank. +- The argument overrides this default. ++ The argument overrides this default ++ and allows any user with a blank password to access the ++ service. ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ The default action of this module is to not permit the ++ user access to a service if their official password is blank. ++ The argument overrides this ++ default and allows any user with a blank password to access ++ the service as long as the value of PAM_TTY is set to one of ++ the values found in /etc/securetty. + + + -- cgit v1.2.3