From f2b7f432bc20a90b836c6c2d2dba53979296ccc0 Mon Sep 17 00:00:00 2001 From: "Dmitry V. Levin" Date: Mon, 18 Feb 2008 13:18:43 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- 2008-02-18 Dmitry V. Levin * modules/pam_exec/pam_exec.c (call_exec): Fix asprintf return code check. --- modules/pam_exec/pam_exec.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) (limited to 'modules') diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c index 766c0a06..14dddd54 100644 --- a/modules/pam_exec/pam_exec.c +++ b/modules/pam_exec/pam_exec.c @@ -244,8 +244,8 @@ call_exec (pam_handle_t *pamh, int argc, const char **argv) if (tmp == NULL) { free(envlist); - pam_syslog (pamh, LOG_ERR, "realloc environment failed : %m"); - exit (ENOMEM); + pam_syslog (pamh, LOG_ERR, "realloc environment failed: %m"); + exit (ENOMEM); } envlist = tmp; for (i = 0; i < nitems; ++i) @@ -255,11 +255,10 @@ call_exec (pam_handle_t *pamh, int argc, const char **argv) if (pam_get_item(pamh, env_items[i].item, &item) != PAM_SUCCESS || item == NULL) continue; - asprintf(&envstr, "%s=%s", env_items[i].name, (const char *)item); - if (envstr == NULL) + if (asprintf(&envstr, "%s=%s", env_items[i].name, (const char *)item) < 0) { free(envlist); - pam_syslog (pamh, LOG_ERR, "prepare environment failed : %m"); + pam_syslog (pamh, LOG_ERR, "prepare environment failed: %m"); exit (ENOMEM); } envlist[envlen++] = envstr; -- cgit v1.2.3 From 6ccbba1cf178e9de46347e2f9df76f69aebcec20 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 21 Feb 2008 21:12:30 +0000 Subject: Relevant BUGIDs: rhbz#433459 Purpose of commit: bugfix Commit summary: --------------- 2008-02-21 Tomas Mraz * libpam/pam_audit.c (_pam_audit_writelog): Silence syslog message on non-error return. * modules/pam_unix/unix_chkpwd.c (main): Proceed as unprivileged user when checking password of another user. * modules/pam_unix/unix_update.c: Fix comment. --- modules/pam_unix/unix_chkpwd.c | 5 ++++- modules/pam_unix/unix_update.c | 11 ++++++----- 2 files changed, 10 insertions(+), 6 deletions(-) (limited to 'modules') diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 11ac3aac..5f872d27 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -101,7 +101,10 @@ int main(int argc, char *argv[]) /* if the caller specifies the username, verify that user matches it */ if (strcmp(user, argv[1])) { - return PAM_AUTH_ERR; + user = argv[1]; + /* no match -> permanently change to the real user and proceed */ + if (setuid(getuid()) != 0) + return PAM_AUTH_ERR; } } diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index 595b7f8b..f54a59ce 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -1,11 +1,12 @@ /* - * This program is designed to run setuid(root) or with sufficient - * privilege to read all of the unix password databases. It is designed - * to provide a mechanism for the current user (defined by this - * process' uid) to verify their own password. + * This program is designed to run with sufficient privilege + * to read and write all of the unix password databases. + * Its purpose is to allow updating the databases when + * SELinux confinement of the caller domain prevents them to + * do that themselves. * * The password is read from the standard input. The exit status of - * this program indicates whether the user is authenticated or not. + * this program indicates whether the password was updated or not. * * Copyright information is located at the end of the file. * -- cgit v1.2.3 From 9484d6c4621ca3b0258005e49959d77e9e127ae0 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 29 Feb 2008 15:22:03 +0000 Subject: Relevant BUGIDs: Purpose of commit: cleanup Commit summary: --------------- 2008-02-26 Tomas Mraz * modules/pam_unix/Makefile.am: Do not link to cracklib. * modules/pam_unix/pam_unix_passwd.c(_pam_unix_approve_pass): Do not call FascistCheck() from cracklib. --- modules/pam_unix/Makefile.am | 5 +---- modules/pam_unix/pam_unix_passwd.c | 12 ------------ 2 files changed, 1 insertion(+), 16 deletions(-) (limited to 'modules') diff --git a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am index 4d2c58b8..61a3b0ce 100644 --- a/modules/pam_unix/Makefile.am +++ b/modules/pam_unix/Makefile.am @@ -22,15 +22,12 @@ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ if HAVE_LIBSELINUX AM_CFLAGS += -D"WITH_SELINUX" endif -if HAVE_LIBCRACK - AM_CFLAGS += -D"USE_CRACKLIB" -endif pam_unix_la_LDFLAGS = -no-undefined -avoid-version -module if HAVE_VERSIONING pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif -pam_unix_la_LIBADD = @LIBCRACK@ @LIBNSL@ -L$(top_builddir)/libpam -lpam \ +pam_unix_la_LIBADD = @LIBNSL@ -L$(top_builddir)/libpam -lpam \ @LIBCRYPT@ @LIBSELINUX@ securelib_LTLIBRARIES = pam_unix.la diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 432f687f..d221220f 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -67,10 +67,6 @@ static int selinux_enabled=-1; #define SELINUX_ENABLED (selinux_enabled!=-1 ? selinux_enabled : (selinux_enabled=is_selinux_enabled()>0)) #endif -#ifdef USE_CRACKLIB -#include -#endif - #include /* indicate the following groups are defined */ @@ -106,9 +102,6 @@ extern int getrpcport(const char *host, unsigned long prognum, #define _UNIX_NEW_AUTHTOK "-UN*X-NEW-PASS" #define MAX_PASSWD_TRIES 3 -#ifndef CRACKLIB_DICTS -#define CRACKLIB_DICTS NULL -#endif static char *getNISserver(pam_handle_t *pamh) { @@ -469,14 +462,9 @@ static int _pam_unix_approve_pass(pam_handle_t * pamh } } if (off(UNIX__IAMROOT, ctrl)) { -#ifdef USE_CRACKLIB - remark = FascistCheck (pass_new, CRACKLIB_DICTS); - D(("called cracklib [%s]", remark)); -#else if (strlen(pass_new) < 6) remark = _("You must choose a longer password"); D(("length check [%s]", remark)); -#endif if (on(UNIX_REMEMBER_PASSWD, ctrl)) { if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR) remark = _("Password has been already used. Choose another."); -- cgit v1.2.3 From 82d45174fcaac68e318a868689689085881b9dac Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 3 Mar 2008 08:09:10 +0000 Subject: Relevant BUGIDs: Purpose of commit: translations Commit summary: --------------- 2008-03-03 Tomas Mraz * modules/pam_selinux/pam_selinux.c: Do not translate syslog messages. * po/Linux-PAM.pot: Update. --- modules/pam_selinux/pam_selinux.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'modules') diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index f0935896..8959c8cf 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -91,26 +91,26 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) return 0; /* No audit support in kernel */ - pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.")); + pam_syslog(pamh, LOG_ERR, "Error connecting to audit system."); return rc; } if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { - pam_syslog(pamh, LOG_ERR, _("Error translating default context.")); + pam_syslog(pamh, LOG_ERR, "Error translating default context."); default_raw = NULL; } if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) { - pam_syslog(pamh, LOG_ERR, _("Error translating selected context.")); + pam_syslog(pamh, LOG_ERR, "Error translating selected context."); selected_raw = NULL; } if (asprintf(&msg, "pam: default-context=%s selected-context=%s", default_raw ? default_raw : (default_context ? default_context : "?"), selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) { - pam_syslog(pamh, LOG_ERR, ("Error allocating memory.")); + pam_syslog(pamh, LOG_ERR, "Error allocating memory."); goto out; } if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, msg, NULL, NULL, NULL, success) <= 0) { - pam_syslog(pamh, LOG_ERR, _("Error sending audit message.")); + pam_syslog(pamh, LOG_ERR, "Error sending audit message."); goto out; } rc = 0; @@ -509,7 +509,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, default_user_context=strdup(contextlist[0]); freeconary(contextlist); if (default_user_context == NULL) { - pam_syslog(pamh, LOG_ERR, _("Out of memory")); + pam_syslog(pamh, LOG_ERR, "Out of memory"); return PAM_AUTH_ERR; } user_context = default_user_context; @@ -517,7 +517,7 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, user_context = config_context(pamh, default_user_context, debug); if (user_context == NULL) { freecon(default_user_context); - pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"), + pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s", username); pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("Unable to get valid context for %s"), username); if (security_getenforce() == 1) -- cgit v1.2.3 From b1056a520bd46e79dce2342d732dbf7a40d23d1e Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 5 Mar 2008 20:21:38 +0000 Subject: Relevant BUGIDs: Purpose of commit: cleanup Commit summary: --------------- 2008-03-05 Tomas Mraz * modules/pam_cracklib/pam_cracklib.c(pam_sm_chauthtok): Avoid unnecessary x_strdup() of resp. * modules/pam_ftp/pam_ftp(pam_sm_authenticate): Call _pam_overwrite() before dropping password resp. --- modules/pam_cracklib/pam_cracklib.c | 12 ++---------- modules/pam_ftp/pam_ftp.c | 2 ++ 2 files changed, 4 insertions(+), 10 deletions(-) (limited to 'modules') diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c index 532a72b2..0c39f89d 100644 --- a/modules/pam_cracklib/pam_cracklib.c +++ b/modules/pam_cracklib/pam_cracklib.c @@ -642,16 +642,12 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, options.prompt_type[0]?" ":""); if (retval == PAM_SUCCESS) { /* a good conversation */ - token1 = x_strdup(resp); + token1 = resp; if (token1 == NULL) { pam_syslog(pamh, LOG_NOTICE, "could not recover authentication token 1"); retval = PAM_AUTHTOK_RECOVERY_ERR; } - /* - * tidy up the conversation (resp_retcode) is ignored - */ - _pam_drop(resp); } else { retval = (retval == PAM_SUCCESS) ? PAM_AUTHTOK_RECOVERY_ERR:retval ; @@ -710,16 +706,12 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, PROMPT2, options.prompt_type, options.prompt_type[0]?" ":""); if (retval == PAM_SUCCESS) { /* a good conversation */ - token2 = x_strdup(resp); + token2 = resp; if (token2 == NULL) { pam_syslog(pamh,LOG_NOTICE, "could not recover authentication token 2"); retval = PAM_AUTHTOK_RECOVERY_ERR; } - /* - * tidy up the conversation (resp_retcode) is ignored - */ - _pam_drop(resp); } /* No else, the a retval == PAM_SUCCESS path can change retval diff --git a/modules/pam_ftp/pam_ftp.c b/modules/pam_ftp/pam_ftp.c index 11cdf590..7c546511 100644 --- a/modules/pam_ftp/pam_ftp.c +++ b/modules/pam_ftp/pam_ftp.c @@ -162,6 +162,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, GUEST_LOGIN_PROMPT); if (retval != PAM_SUCCESS) { + _pam_overwrite (resp); _pam_drop (resp); return ((retval == PAM_CONV_AGAIN) ? PAM_INCOMPLETE:PAM_AUTHINFO_UNAVAIL); @@ -200,6 +201,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, } /* clean up */ + _pam_overwrite(resp); _pam_drop(resp); /* success or failure */ -- cgit v1.2.3 From ffe3830f997b26538dabbac0c7cbc359e71a3c34 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 20 Mar 2008 17:06:32 +0000 Subject: Relevant BUGIDs: rhbz#438338, rhbz#438264 Purpose of commit: bugfix Commit summary: --------------- 2008-03-20 Tomas Mraz * modules/pam_namespace/pam_namespace.c(poly_name): Switch to USER method only when appropriate. (setup_namespace): Do not umount when not mounted with RUSER. * modules/pam_selinux/pam_selinux.c(pam_sm_close_session): Call freecontext() after the context is logged not before. --- modules/pam_namespace/pam_namespace.c | 16 +++++++++++----- modules/pam_selinux/pam_selinux.c | 22 ++++++++++++---------- 2 files changed, 23 insertions(+), 15 deletions(-) (limited to 'modules') diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index d0741fd2..80c51443 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -822,10 +822,11 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, */ pm = polyptr->method; - if (pm == LEVEL || pm == USER) { + if (pm == LEVEL || pm == CONTEXT) #ifdef WITH_SELINUX - if (!(idata->flags & PAMNS_CTXT_BASED_INST)) + if (!(idata->flags & PAMNS_CTXT_BASED_INST)) { #else + { pam_syslog(idata->pamh, LOG_NOTICE, "Context and level methods not available, using user method"); #endif @@ -1528,13 +1529,18 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) */ for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { enum unmnt_op dir_unmnt = unmnt; - if (ns_override(pptr, idata, idata->uid)) { - if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) { - continue; + + if (ns_override(pptr, idata, idata->ruid)) { + dir_unmnt = NO_UNMNT; + } + if (ns_override(pptr, idata, idata->uid)) { + if (dir_unmnt == NO_UNMNT) { + continue; } else { dir_unmnt = UNMNT_ONLY; } } + if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Setting poly ns for user %d for dir %s", diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index 8959c8cf..f679e33d 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -672,7 +672,7 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - int i, debug = 0,status=0, open_session=0; + int i, debug = 0, status = PAM_SUCCESS, open_session = 0; if (! (selinux_enabled )) return PAM_SUCCESS; @@ -702,19 +702,21 @@ pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, free(ttyn); ttyn=NULL; } - status=setexeccon(prev_user_context); - freecon(prev_user_context); - if (status) { - pam_syslog(pamh, LOG_ERR, "Error! Unable to set executable context %s.", + if (prev_user_context) { + if (setexeccon(prev_user_context)) { + pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.", prev_user_context); - if (security_getenforce() == 1) - return PAM_AUTH_ERR; - else - return PAM_SUCCESS; + if (security_getenforce() == 1) + status = PAM_AUTH_ERR; + else + status = PAM_SUCCESS; + } + freecon(prev_user_context); + prev_user_context = NULL; } if (debug) pam_syslog(pamh, LOG_NOTICE, "setcontext back to orginal"); - return PAM_SUCCESS; + return status; } -- cgit v1.2.3 From d07b392cdb5b264d21c6a64753957710b3ec921c Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 31 Mar 2008 10:31:50 +0000 Subject: Relevant BUGIDs: Purpose of commit: bugfix Commit summary: --------------- 2008-03-31 Dan Walsh * modules/pam_sepermit/pam_sepermit.c(sepermit_lock): Mark lock fd to be closed on exec. --- modules/pam_sepermit/pam_sepermit.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'modules') diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c index 47f95030..0d5ab21a 100644 --- a/modules/pam_sepermit/pam_sepermit.c +++ b/modules/pam_sepermit/pam_sepermit.c @@ -207,6 +207,9 @@ sepermit_lock(pam_handle_t *pamh, const char *user, int debug) return -1; } + /* Need to close on exec */ + fcntl(fd, F_SETFD, FD_CLOEXEC); + if (fcntl(fd, F_SETLK, &fl) == -1) { pam_syslog(pamh, LOG_ERR, "User %s with exclusive login already logged in", user); close(fd); -- cgit v1.2.3