| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
| |
If /etc/nologin is larger than INT_MAX, the error messages are
misleading. No unexpected internal read error occurs, but instead
the internal limitations are reached.
Indicate that the file is too large if it is larger than INT_MAX.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the file parsed by pam_echo is larger than INT_MAX, then it is
possible that uninitialized memory is printed on screen.
The return value of pam_modutil_read is not negative if the size
argument (casted to an int) is negative. Instead 0 is returned.
This can also happen with any other file if a short read is triggered.
Check if file is fully parsed or not.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
Make sure that we do not follow any symbolic links within the home
directory of a user. If such a link exists, it must have been
created by someone else. Never follow them and just fail.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
Encountering a relative home directory can only mean troubles.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
Extract logic reponsible for copying single directory entries into its
own function for easier error handling, i.e. using goto for clean up
of variables used in "for loop".
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
The mkhomedir_helper treats an already existing home directory as
success. Keep this logic within create_homedir to reduce the
negative impact of concurrently running instances.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
Treat symlink creation failures the same way as failures when
creating files and directories.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
If HOME_MODE of login.conf is more restrictive than the default
directory mode with umask, a short time window exists in which the home
directory has a less restrictive mode than requested (between
create_homedir and prelude of create_homedir_helper).
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
In some error cases in create_homedir ownership and mode of the newly
created directory are not set. Always do so to prevent root-owned
directories as error leftovers.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
Retrieves YESCRYPT_COST_FACTOR from /etc/login.defs for yescrypt
in a similar fashion to reading number of rounds for SHA-2.
Resolves #607.
Signed-off-by: Nathan Du <nathandu@outlook.com>
|
| |
|
|
|
|
|
| |
This is much easier to read, does the same and is less prone
to getting memcpy and strcpy wrong.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Passing an indeterminate number of arguments via varargs to a function is
dependent on the compiler implementation. Instead, as we are handing off
the argv to execv directly anyway without further processing we can
build this array inline at the call site instead.
Doing so actually also avoids a previous limitation of the old
implementation where long argument lists could have been truncated
silently to their first nine arguments. The new implementation does not
impose such a limit on the caller.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
* modules/pam_canonicalize_user/tst-pam_canonicalize_user-retval.c: New
file.
* modules/pam_canonicalize_user/Makefile.am (TESTS): Add
$(check_PROGRAMS).
(check_PROGRAMS, tst_pam_canonicalize_user_retval_LDADD): New variables.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This module uses the name of the user obtained via pam_get_user(3)
as a key to query the password database, and replaces PAM_USER
with the pw_name value that has been returned.
The main usage scenario is systems where a user name is used in several
distinct authentication systems, some of them being case sensitive while
others are not.
* configure.ac (AC_CONFIG_FILES): Add
modules/pam_canonicalize_user/Makefile.
* doc/sag/pam_canonicalize_user.xml: New file.
* doc/sag/Linux-PAM_SAG.xml: Add a reference to
pam_canonicalize_user.xml.
* modules/Makefile.am (SUBDIRS): Add pam_canonicalize_user.
* modules/pam_canonicalize_user/Makefile.am: New file.
* modules/pam_canonicalize_user/README.xml: New file.
* modules/pam_canonicalize_user/pam_canonicalize_user.8.xml: New file.
* modules/pam_canonicalize_user/pam_canonicalize_user.c: New file.
* modules/pam_canonicalize_user/tst-pam_canonicalize_user: New file.
|
| |
|
|
|
| |
* libpam/pam_misc.c (_pam_mkargv): Return 0 in case of memory allocation
failure.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When there's a loop of configuration files consisting solely of includes
the recursion depth level is never incremented and thus no upper limit is
enforced. This leads to a crash caused by a stack overflow.
This patch updates the logic to track both the number of includes as well
as the number of substacks we are on; ultimately adding a new parameter
to track this information.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Marking the functions _pam_output_debug and _pam_output_debug_info as
potentially unused reduces the noise when compiling in debug mode.
The warning is produced whenever _pam_macros.h is included, but no
debug output is produced by the module. Just marking the function
as static inline, which would have a similar effect, does not work
for various reasons and instead produces new issues instead.
Thus silencing this warning by telling the compiler about our intentions
with these functions is the better approach.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
Marking _pam_output_debug as printf-style function allows the compiler to
check for potential errors at places where this function is called, like
mismatches in the argument types or insufficient number of arguments.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
When printing the current day and when the password was last changed,
a truncation of the value could happen due to incorrect data types used
in the format string.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
| |
The value of pp can potentially be NULL. This handles this case when
printing debug output.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
|
| |
The debug message was placed outside the password length check and thus
if the length check succeeded no message would have been placed.
Comparing this location with other occurrences indicates this was by mistake,
thus the message is now suppressed if there's nothing to print anyway.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
While the underlying type for setting the service was correct, the
additional output neglected to include the type cast necessary when
actually printing the data. This is rectified here.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
| |
As the context variables can be NULL at this point, this has to be
reflected when printing them for debug purposes.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
While the underlying type for setting the user was correct, the
additional output neglected to include the type cast necessary when
actually printing the data. This is rectified here.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
While the underlying type for setting the user was correct, the
additional output neglected to include the type cast necessary when
actually printing the data. This is rectified here.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
While the underlying type for setting the service was correct, the
additional output neglected to include the type cast necessary when
actually printing the data. This is rectified here.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
There was a debug message still using %d (int) instead of the
contextually correct %zu (size_t AKA long unsigned int), potentially
causing silent truncation of the printed value.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
As the string to output here is user-controlled this could lead
to format string attacks. Possible impact is at least information
leakage about the program stack.
To avoid this, make the format string fixed and insert the actual
string for output as an argument.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The value returned by the preceeding _pam_dispatch has been limited to
PAM_INCOMPLETE by the point this debug output is generated. Thus there
is no point in repeating it in the message - in fact it was not even
part of the format string before, thus adding it would make no sense.
On the other hand, if there is no place to print the (known) value of
retval here, there's also no point in providing it to the debug output
function either. Thus let's drop it.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
While the underlying type for setting the TTY was correct, the
additional output neglected to include the type cast necessary when
actually printing the data. This is rectified here.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
Several debug messages were using %u (unsigned int) instead of the
contextually correct %zu (size_t AKA long unsigned int), potentially
causing silent truncation of the printed value.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
| |
Previously, there was a missing argument to the debug output within
_pam_dispatch whe _pam_dispatch_aux returned an error. This updates
the debug message in that situation to include the module name that
was involved with the failure.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
| |
Only allow shells with absolute paths. Also handle line truncations
which could occur with fgets by prefering getline/getdelim.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
If fgets encounters a file with a \0 at the beginning of a line, then
strlen()-1 would turn negative. Check if line has at least one
character in it.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
If an executed program prints \0 at the beginning of a line, then
pam_exec triggers an out of boundary read (and possible) write on
the stack.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
The module might overflow heap on 32 bit systems if a 4 GB file is
supplied as argument.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
The argument vector for a module is created in _pam_parse_conf_file,
which is performed by _pam_mkargv. If memory allocation fails in
_pam_mkargv, then an empty argv is returned. This has to be checked by
the caller to not silently drop arguments requested by configuration.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
It is possible to trigger a signed integer overflow when parsing
jump numbers for pam return types.
Fail if the number becomes too large.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
It is not required to cast the results of calloc, malloc,
realloc, etc.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The first argument of IF_NO_PAMH is supposed to be the name of the
function which was called with pamh being NULL.
With __FUNCTION__ the name can be inserted automatically by the
compiler which is also already done with D macro.
Fixes a bug in which _pam_drop_env erroneously logs with the
function name _pam_make_env.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
Reading "other" is not meant as a file, which the debug message might
look like. Copy the same debug message used when opening a module.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
The D macro itself already adds the function names.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
The D macro itself already adds the function names.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
The amount of va_start and va_end calls should be identical. Since
va_end is called right after vasprintf, don't call it later again.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
If a configuration file contains lines which are longer than 1024
characters, _pam_assemble_line splits them into multiple ones.
This may lead to comments being interpreted as actual configuration
lines.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
An endless loop with fgets can be triggered if exactly one free byte
is left in buffer, because fgets will fill this byte with \0 without
reading any further data from file.
This requires an invalid system configuration.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
