From 91d4678388b2a7d768ee2ec8cc569e11fc223ffd Mon Sep 17 00:00:00 2001 From: Rosen Penev Date: Sun, 15 Jul 2018 20:43:44 -0700 Subject: Replace strndupa with strncpy glibc only. A static string is better. Signed-off-by: Rosen Penev --- modules/pam_exec/pam_exec.c | 31 +++++++++++-------------------- 1 file changed, 11 insertions(+), 20 deletions(-) (limited to 'modules/pam_exec/pam_exec.c') diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 52dc6818..6cad16e4 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -102,7 +102,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, int use_stdout = 0; int optargc; const char *logfile = NULL; - const char *authtok = NULL; + char authtok[PAM_MAX_RESP_SIZE] = {}; pid_t pid; int fds[2]; int stdout_fds[2]; @@ -180,12 +180,12 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (resp) { pam_set_item (pamh, PAM_AUTHTOK, resp); - authtok = strndupa (resp, PAM_MAX_RESP_SIZE); + strncpy (authtok, resp, sizeof(authtok) - 1); _pam_drop (resp); } } else - authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE); + strncpy (authtok, void_pass, sizeof(authtok) - 1); if (pipe(fds) != 0) { @@ -225,23 +225,14 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (expose_authtok) /* send the password to the child */ { - if (authtok != NULL) - { /* send the password to the child */ - if (debug) - pam_syslog (pamh, LOG_DEBUG, "send password to child"); - if (write(fds[1], authtok, strlen(authtok)+1) == -1) - pam_syslog (pamh, LOG_ERR, - "sending password to child failed: %m"); - authtok = NULL; - } - else - { - if (write(fds[1], "", 1) == -1) /* blank password */ - pam_syslog (pamh, LOG_ERR, - "sending password to child failed: %m"); - } - close(fds[0]); /* close here to avoid possible SIGPIPE above */ - close(fds[1]); + if (debug) + pam_syslog (pamh, LOG_DEBUG, "send password to child"); + if (write(fds[1], authtok, strlen(authtok)) == -1) + pam_syslog (pamh, LOG_ERR, + "sending password to child failed: %m"); + + close(fds[0]); /* close here to avoid possible SIGPIPE above */ + close(fds[1]); } if (use_stdout) -- cgit v1.2.3 From 1181e0590c9f059c40b71718d4fb3b6c339f65db Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 16 Mar 2020 21:02:18 +0000 Subject: Use PAM_ARRAY_SIZE Replace all instances of sizeof(x) / sizeof(*x) with PAM_ARRAY_SIZE(x) which is less error-prone and implements an additional type check. * libpam/pam_handlers.c: Include "pam_inline.h". (_pam_open_config_file): Use PAM_ARRAY_SIZE. * modules/pam_exec/pam_exec.c: Include "pam_inline.h". (call_exec): Use PAM_ARRAY_SIZE. * modules/pam_namespace/pam_namespace.c: Include "pam_inline.h". (filter_mntopts): Use PAM_ARRAY_SIZE. * modules/pam_timestamp/hmacfile.c: Include "pam_inline.h". (testvectors): Use PAM_ARRAY_SIZE. * modules/pam_xauth/pam_xauth.c: Include "pam_inline.h". (run_coprocess, pam_sm_open_session): Use PAM_ARRAY_SIZE. * tests/tst-pam_get_item.c: Include "pam_inline.h". (main): Use PAM_ARRAY_SIZE. * tests/tst-pam_set_item.c: Likewise. * xtests/tst-pam_pwhistory1.c: Likewise. * xtests/tst-pam_time1.c: Likewise. --- modules/pam_exec/pam_exec.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'modules/pam_exec/pam_exec.c') diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 6cad16e4..f1a1bc29 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -59,6 +59,7 @@ #include #include #include +#include "pam_inline.h" #define ENV_ITEM(n) { (n), #n } static struct { @@ -414,7 +415,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, envlist = pam_getenvlist(pamh); for (envlen = 0; envlist[envlen] != NULL; ++envlen) /* nothing */ ; - nitems = sizeof(env_items) / sizeof(*env_items); + nitems = PAM_ARRAY_SIZE(env_items); /* + 2 because of PAM_TYPE and NULL entry */ tmp = realloc(envlist, (envlen + nitems + 2) * sizeof(*envlist)); if (tmp == NULL) -- cgit v1.2.3 From a512eaaf4d6334976e071bf7f57be866f1c42f6c Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Tue, 17 Mar 2020 21:29:24 +0000 Subject: modules/pam_exec: use pam_str_skip_icase_prefix * modules/pam_exec/pam_exec.c (call_exec): Use pam_str_skip_icase_prefix instead of ugly strncasecmp invocations. --- modules/pam_exec/pam_exec.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) (limited to 'modules/pam_exec/pam_exec.c') diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index f1a1bc29..d37f555a 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -117,6 +117,8 @@ call_exec (const char *pam_type, pam_handle_t *pamh, for (optargc = 0; optargc < argc; optargc++) { + const char *str; + if (argv[optargc][0] == '/') /* paths starts with / */ break; @@ -124,11 +126,11 @@ call_exec (const char *pam_type, pam_handle_t *pamh, debug = 1; else if (strcasecmp (argv[optargc], "stdout") == 0) use_stdout = 1; - else if (strncasecmp (argv[optargc], "log=", 4) == 0) - logfile = &argv[optargc][4]; - else if (strncasecmp (argv[optargc], "type=", 5) == 0) + else if ((str = pam_str_skip_icase_prefix (argv[optargc], "log=")) != NULL) + logfile = str; + else if ((str = pam_str_skip_icase_prefix (argv[optargc], "type=")) != NULL) { - if (strcmp (pam_type, &argv[optargc][5]) != 0) + if (strcmp (pam_type, str) != 0) return PAM_IGNORE; } else if (strcasecmp (argv[optargc], "seteuid") == 0) -- cgit v1.2.3 From b838197cab25d5e2d83ef74d36401ff8a4f2ffdf Mon Sep 17 00:00:00 2001 From: Alexander Zubkov Date: Mon, 23 Mar 2020 19:24:15 +0100 Subject: pam_exec: require user name to be ready for the command pam_exec module can be called when a user name has not been prompted yet. And thus the command is called without a user name available. This fix asks PAM for the user name to ensure it is ready or to force the prompt. Resolves: https://github.com/linux-pam/linux-pam/issues/131 Resolves: https://github.com/linux-pam/linux-pam/pull/195 --- modules/pam_exec/pam_exec.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) (limited to 'modules/pam_exec/pam_exec.c') diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index d37f555a..918422cf 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -108,6 +108,8 @@ call_exec (const char *pam_type, pam_handle_t *pamh, int fds[2]; int stdout_fds[2]; FILE *stdout_file = NULL; + int retval; + const char *name; if (argc < 1) { pam_syslog (pamh, LOG_ERR, @@ -143,6 +145,16 @@ call_exec (const char *pam_type, pam_handle_t *pamh, break; /* Unknown option, assume program to execute. */ } + /* Request user name to be available. */ + + retval = pam_get_user(pamh, &name, NULL); + if (retval != PAM_SUCCESS) + { + if (retval == PAM_CONV_AGAIN) + retval = PAM_INCOMPLETE; + return retval; + } + if (expose_authtok == 1) { if (strcmp (pam_type, "auth") != 0) @@ -154,7 +166,6 @@ call_exec (const char *pam_type, pam_handle_t *pamh, else { const void *void_pass; - int retval; retval = pam_get_item (pamh, PAM_AUTHTOK, &void_pass); if (retval != PAM_SUCCESS) @@ -224,7 +235,7 @@ call_exec (const char *pam_type, pam_handle_t *pamh, if (pid > 0) /* parent */ { int status = 0; - pid_t retval; + pid_t rc; if (expose_authtok) /* send the password to the child */ { @@ -253,9 +264,9 @@ call_exec (const char *pam_type, pam_handle_t *pamh, fclose(stdout_file); } - while ((retval = waitpid (pid, &status, 0)) == -1 && + while ((rc = waitpid (pid, &status, 0)) == -1 && errno == EINTR); - if (retval == (pid_t)-1) + if (rc == (pid_t)-1) { pam_syslog (pamh, LOG_ERR, "waitpid returns with -1: %m"); return PAM_SYSTEM_ERR; -- cgit v1.2.3 From 37b5259298be9137f5b40eef16027152ddb803ff Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Fri, 1 May 2020 19:20:12 +0000 Subject: modules: remove PAM_SM_* macros Starting with commit a684595c0bbd88df71285f43fb27630e3829121e aka Linux-PAM-1.3.0~14 (Remove "--enable-static-modules" option and support from Linux-PAM), PAM_SM_* macros have no effect. --- modules/pam_exec/pam_exec.c | 6 ------ 1 file changed, 6 deletions(-) (limited to 'modules/pam_exec/pam_exec.c') diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 918422cf..5ca85ab3 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -49,12 +49,6 @@ #include #include - -#define PAM_SM_AUTH -#define PAM_SM_ACCOUNT -#define PAM_SM_SESSION -#define PAM_SM_PASSWORD - #include #include #include -- cgit v1.2.3