diff options
| -rw-r--r-- | patches-applied/054_pam_security_abstract_securetty_handling | 240 |
1 files changed, 173 insertions, 67 deletions
diff --git a/patches-applied/054_pam_security_abstract_securetty_handling b/patches-applied/054_pam_security_abstract_securetty_handling index db6b2386..2cfd9fde 100644 --- a/patches-applied/054_pam_security_abstract_securetty_handling +++ b/patches-applied/054_pam_security_abstract_securetty_handling @@ -1,44 +1,30 @@ -? Linux-PAM/modules/pammodutil/tty_secure.c Index: Linux-PAM/modules/pam_securetty/pam_securetty.c =================================================================== -RCS file: /afs/sipb.mit.edu/project/debian/cvs/pam/Linux-PAM/modules/pam_securetty/pam_securetty.c,v -retrieving revision 1.4 -diff -u -r1.4 pam_securetty.c ---- Linux-PAM/modules/pam_securetty/pam_securetty.c 21 Sep 2002 18:18:42 -0000 1.4 -+++ Linux-PAM/modules/pam_securetty/pam_securetty.c 4 Apr 2004 22:59:54 -0000 -@@ -34,6 +34,7 @@ - #define PAM_SM_AUTH - - #include <security/pam_modules.h> -+#include <security/_pam_modutil.h> - - /* some syslogging */ - -@@ -80,10 +81,8 @@ +--- Linux-PAM/modules/pam_securetty/pam_securetty.c (revision 295) ++++ Linux-PAM/modules/pam_securetty/pam_securetty.c (working copy) +@@ -78,11 +78,7 @@ int retval = PAM_AUTH_ERR; const char *username; char *uttyname; - char ttyfileline[256]; +- char ptname[256]; - struct stat ttyfileinfo; struct passwd *user_pwd; - FILE *ttyfile; -+ - int ctrl; - /* parse the arguments */ -@@ -106,10 +105,6 @@ + /* log a trail for debugging */ + if (ctrl & PAM_DEBUG_ARG) { +@@ -115,65 +111,12 @@ return PAM_SERVICE_ERR; } - /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ -- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) +- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) { - uttyname += sizeof(TTY_PREFIX)-1; -- - user_pwd = getpwnam(username); - if (user_pwd == NULL) { - return PAM_IGNORE; -@@ -119,44 +114,7 @@ - return PAM_SUCCESS; ++ retval = _pammodutil_tty_secure(uttyname); ++ if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) { ++ _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'", ++ username, uttyname); } - if (stat(SECURETTY_FILE, &ttyfileinfo)) { @@ -48,8 +34,7 @@ diff -u -r1.4 pam_securetty.c - error. */ - } - -- if ((ttyfileinfo.st_mode & S_IWOTH) -- || !S_ISREG(ttyfileinfo.st_mode)) { +- if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { - /* If the file is world writable or is not a - normal file, return error */ - _pam_log(LOG_ERR, SECURETTY_FILE @@ -58,58 +43,179 @@ diff -u -r1.4 pam_securetty.c - } - - ttyfile = fopen(SECURETTY_FILE,"r"); -- if(ttyfile == NULL) { /* Check that we opened it successfully */ +- if (ttyfile == NULL) { /* Check that we opened it successfully */ - _pam_log(LOG_ERR, - "Error opening " SECURETTY_FILE); - return PAM_SERVICE_ERR; - } -- /* There should be no more errors from here on */ -- retval=PAM_AUTH_ERR; -- /* This loop assumes that PAM_SUCCESS == 0 -- and PAM_AUTH_ERR != 0 */ -- while((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) -- && retval) { -- if(ttyfileline[strlen(ttyfileline) - 1] == '\n') +- +- if (isdigit(uttyname[0])) { +- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); +- } else { +- ptname[0] = '\0'; +- } +- +- retval = 1; +- +- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL) +- && retval) { +- if (ttyfileline[strlen(ttyfileline) - 1] == '\n') - ttyfileline[strlen(ttyfileline) - 1] = '\0'; -- retval = strcmp(ttyfileline,uttyname); +- +- retval = ( strcmp(ttyfileline, uttyname) +- && (!ptname[0] || strcmp(ptname, uttyname)) ); - } - fclose(ttyfile); -- if(retval) { -- _pam_log(LOG_WARNING, "access denied: tty '%s' is not secure !", +- +- if (retval) { +- _pam_log(LOG_WARNING, "access denied: tty '%s' is not secure !", - uttyname); -- retval = PAM_AUTH_ERR; +- +- retval = PAM_AUTH_ERR; +- } else { +- if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) { +- _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'", +- username, uttyname); +- } +- retval = PAM_SUCCESS; +- - } -+ retval = _pammodutil_tty_secure( uttyname); - if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) - _pam_log(LOG_DEBUG, "access allowed for '%s' on '%s'", - username, uttyname); -Index: Linux-PAM/modules/pammodutil/Makefile +- + return retval; + } + +Index: Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h =================================================================== -RCS file: /afs/sipb.mit.edu/project/debian/cvs/pam/Linux-PAM/modules/pammodutil/Makefile,v -retrieving revision 1.1.1.1 -diff -u -r1.1.1.1 Makefile ---- Linux-PAM/modules/pammodutil/Makefile 15 Sep 2002 20:09:04 -0000 1.1.1.1 -+++ Linux-PAM/modules/pammodutil/Makefile 4 Apr 2004 22:59:54 -0000 -@@ -18,7 +18,7 @@ - -DLIBPAM_VERSION_MINOR=$(MINOR_REL) +--- Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h (revision 295) ++++ Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h (working copy) +@@ -63,4 +63,6 @@ + extern int _pammodutil_write(int fd, const char *buffer, int count); + ++extern int _pammodutil_tty_secure(const char *uttyname); ++ + #endif /* _PAM_MODUTIL_H */ +Index: Linux-PAM/modules/pammodutil/Makefile +=================================================================== +--- Linux-PAM/modules/pammodutil/Makefile (revision 295) ++++ Linux-PAM/modules/pammodutil/Makefile (working copy) +@@ -20,7 +20,8 @@ # all the object files we care about --LIBOBJECTS = modutil_cleanup.o modutil_getpwnam.o modutil_getpwuid.o -+LIBOBJECTS = modutil_cleanup.o modutil_getpwnam.o modutil_getpwuid.o tty_secure.o + LIBOBJECTS = modutil_cleanup.o modutil_getpwnam.o modutil_getpwuid.o \ + modutil_getspnam.o modutil_getgrnam.o modutil_getgrgid.o \ +- modutil_ingroup.o modutil_getlogin.o modutil_ioloop.o ++ modutil_ingroup.o modutil_getlogin.o modutil_ioloop.o \ ++ tty_secure.o # static library name LIBSTATIC = $(LIBNAME).a -Index: Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h -=================================================================== -RCS file: /afs/sipb.mit.edu/project/debian/cvs/pam/Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h,v -retrieving revision 1.1.1.1 -diff -u -r1.1.1.1 _pam_modutil.h ---- Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h 15 Sep 2002 20:09:04 -0000 1.1.1.1 -+++ Linux-PAM/modules/pammodutil/include/security/_pam_modutil.h 4 Apr 2004 22:59:54 -0000 -@@ -30,4 +30,6 @@ - extern void _pammodutil_cleanup(pam_handle_t *pamh, void *data, - int error_status); - -+extern int _pammodutil_tty_secure( const char *uttyname); +--- /dev/null 1969-12-31 16:00:00.000000000 -0800 ++++ Linux-PAM/modules/pammodutil/tty_secure.c 2005-07-14 01:04:29.000000000 -0700 +@@ -0,0 +1,107 @@ ++/* A function to determine if a particular line is in /etc/securietty*/ + - #endif /* _PAM_MODUTIL_H */ ++ ++#define SECURETTY_FILE "/etc/securetty" ++#define TTY_PREFIX "/dev/" ++ ++/* This function taken out of pam_security by Sam Hartman <hartmans@debian.org>*/ ++/* ++ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software. ++ * July 25, 1996. ++ * Slight modifications AGM. 1996/12/3 ++ */ ++ ++#include <unistd.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <security/pam_modules.h> ++#include <stdarg.h> ++#include <syslog.h> ++#include <sys/syslog.h> ++#include <stdio.h> ++#include <string.h> ++#include <stdlib.h> ++#include <security/_pam_modutil.h> ++ ++static void _pam_log(int err, const char *format,...) ++{ ++ va_list args; ++ const char tag[] = "(pam_securetty) "; ++ char *mod_format; ++ int free_mod_format = 1; ++ ++ mod_format = malloc( 1 + sizeof(tag) + strlen(format)); ++ if(mod_format == NULL) { ++ free_mod_format = 0; ++ mod_format = (char *) format; ++ } else { ++ strcpy(mod_format, tag); ++ strcat( mod_format, format); ++ } ++ ++ va_start(args, format); ++ vsyslog(err | LOG_AUTH, mod_format, args); ++ va_end(args); ++ ++ if (free_mod_format) free(mod_format); ++} ++ ++ ++int _pammodutil_tty_secure(const char *uttyname) ++{ ++ int retval = PAM_AUTH_ERR; ++ char ttyfileline[256]; ++ char ptname[256]; ++ struct stat ttyfileinfo; ++ FILE *ttyfile; ++ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */ ++ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) ++ uttyname += sizeof(TTY_PREFIX)-1; ++ ++ if (stat(SECURETTY_FILE, &ttyfileinfo)) { ++ _pam_log(LOG_NOTICE, "Couldn't open " SECURETTY_FILE); ++ return PAM_SUCCESS; /* for compatibility with old securetty handling, ++ this needs to succeed. But we still log the ++ error. */ ++ } ++ ++ if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) { ++ /* If the file is world writable or is not a ++ normal file, return error */ ++ _pam_log(LOG_ERR, SECURETTY_FILE ++ " is either world writable or not a normal file"); ++ return PAM_AUTH_ERR; ++ } ++ ++ ttyfile = fopen(SECURETTY_FILE,"r"); ++ if(ttyfile == NULL) { /* Check that we opened it successfully */ ++ _pam_log(LOG_ERR, ++ "Error opening " SECURETTY_FILE); ++ return PAM_SERVICE_ERR; ++ } ++ ++ if (isdigit(uttyname[0])) { ++ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname); ++ } else { ++ ptname[0] = '\0'; ++ { ++ ++ retval = 1; ++ ++ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) ++ && retval) { ++ if(ttyfileline[strlen(ttyfileline) - 1] == '\n') ++ ttyfileline[strlen(ttyfileline) - 1] = '\0'; ++ retval = ( strcmp(ttyfileline,uttyname) ++ && (!ptname[0] || strcmp(ptname, uttyname)) ); ++ } ++ fclose(ttyfile); ++ ++ if(retval) { ++ _pam_log(LOG_WARNING, "access denied: tty '%s' is not secure !", ++ uttyname); ++ retval = PAM_AUTH_ERR; ++ } ++ ++ return retval; ++} |