| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
| |
When there's a loop of configuration files consisting solely of includes
the recursion depth level is never incremented and thus no upper limit is
enforced. This leads to a crash caused by a stack overflow.
This patch updates the logic to track both the number of includes as well
as the number of substacks we are on; ultimately adding a new parameter
to track this information.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Marking the functions _pam_output_debug and _pam_output_debug_info as
potentially unused reduces the noise when compiling in debug mode.
The warning is produced whenever _pam_macros.h is included, but no
debug output is produced by the module. Just marking the function
as static inline, which would have a similar effect, does not work
for various reasons and instead produces new issues instead.
Thus silencing this warning by telling the compiler about our intentions
with these functions is the better approach.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
Marking _pam_output_debug as printf-style function allows the compiler to
check for potential errors at places where this function is called, like
mismatches in the argument types or insufficient number of arguments.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The value returned by the preceeding _pam_dispatch has been limited to
PAM_INCOMPLETE by the point this debug output is generated. Thus there
is no point in repeating it in the message - in fact it was not even
part of the format string before, thus adding it would make no sense.
On the other hand, if there is no place to print the (known) value of
retval here, there's also no point in providing it to the debug output
function either. Thus let's drop it.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
While the underlying type for setting the TTY was correct, the
additional output neglected to include the type cast necessary when
actually printing the data. This is rectified here.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
| |
Several debug messages were using %u (unsigned int) instead of the
contextually correct %zu (size_t AKA long unsigned int), potentially
causing silent truncation of the printed value.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
| |
Previously, there was a missing argument to the debug output within
_pam_dispatch whe _pam_dispatch_aux returned an error. This updates
the debug message in that situation to include the module name that
was involved with the failure.
Signed-off-by: Benny Baumann <BenBE@geshi.org>
|
| |
|
|
|
|
|
|
|
| |
The argument vector for a module is created in _pam_parse_conf_file,
which is performed by _pam_mkargv. If memory allocation fails in
_pam_mkargv, then an empty argv is returned. This has to be checked by
the caller to not silently drop arguments requested by configuration.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
It is possible to trigger a signed integer overflow when parsing
jump numbers for pam return types.
Fail if the number becomes too large.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
It is not required to cast the results of calloc, malloc,
realloc, etc.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The first argument of IF_NO_PAMH is supposed to be the name of the
function which was called with pamh being NULL.
With __FUNCTION__ the name can be inserted automatically by the
compiler which is also already done with D macro.
Fixes a bug in which _pam_drop_env erroneously logs with the
function name _pam_make_env.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
Reading "other" is not meant as a file, which the debug message might
look like. Copy the same debug message used when opening a module.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
The D macro itself already adds the function names.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
The D macro itself already adds the function names.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
If a configuration file contains lines which are longer than 1024
characters, _pam_assemble_line splits them into multiple ones.
This may lead to comments being interpreted as actual configuration
lines.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
An endless loop with fgets can be triggered if exactly one free byte
is left in buffer, because fgets will fill this byte with \0 without
reading any further data from file.
This requires an invalid system configuration.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The debug output of environment variables tries to properly format
pointers in a right-aligned way. 9 characters are not enough for
32 bit pointers though due to prepended 0x. Also, it takes 18 for
64 bit systems.
Adjust the formatter properly for architectures.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
It is possible to trigger an integer overflow in _pam_strdup
if the passed string is longer than INT_MAX, which could lead
to a smaller memory allocation than needed for the strcpy call.
This in turn could lead to a heap overflow.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
* configure.ac: check whether close_range() is available in the system.
* libpam/pam_modutil_sanitize.c: use close_range() to close all file
descriptors. If the interface isn't available use the previous
approach.
Link: https://github.com/linux-pam/linux-pam/pull/276
Resolves: https://issues.redhat.com/browse/RHEL-5099
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_putenv and pam_getenv do not properly handle strings which are
longer than 2 GB (INT_MAX).
In pam_putenv the l2eq variable could overflow and turn negative,
leading to out of boundary access (after the fact that signed integer
overflow is undefined behavior).
In pam_getenv a very long string could lead to a small int value
so other environment variables could match.
The easiest fix for both is to use size_t.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
Without the change locales are not visible to applications using PAM if
PAM library is installed into a --prefix= different from the default
one.
|
| |
|
|
|
|
| |
Identifiers staring with an underscores are reserved by the C standard.
Also avoid double underscore, which are reserved by C++, in header file.
|
| |
|
|
|
|
|
|
| |
Character handling functions, like isspace(3), expect a value
representable as unsigned char or equal to EOF. Otherwise the behavior
is undefined.
See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char
|
| |
|
|
|
| |
If the pam handlers fail to initialize halfway, clean them up
afterwards. Since we set the handle to NULL callers can't clean them.
|
| |
|
|
|
|
| |
PATH_MAX is optional in POSIX, and not defined on GNU/Hurd; since these
sources are tests, it is fine to hardcoded a fallback value that allows
the tests to build and run.
|
| | |
|
| |
|
|
|
|
| |
Non trivial changes:
- erase responses in pam_get_authtok_internal() on error branch
|
| |
|
|
|
|
|
|
|
|
| |
Avoid compiler optimizations to elide the memory erasure by using a
secure method: either memset_explicit() [C23], bzero_explicit() [glibc
2.25] or a manual memory barrier.
Since the current helpers _pam_overwrite*() and _pam_drop_reply() are
publicly exported, create new ones in "pam_inline.h" and deprecate the
old ones.
|
| |
|
|
|
|
|
|
|
| |
utmp uses 32bit time_t for compatibility with 32bit userland on some
64bit systems and is thus not Y2038 safe. Use getlogin() from libc
which avoids using utmp and is more safe than the old utmp-based
implementation by using /proc/self/loginuid.
* libpam/pam_modutil_getlogin.c: Use getlogin() instead of parsing utmp
|
| |
|
|
|
|
|
|
| |
* libpam/include/pam_cc_compat.h (DIAG_PUSH_IGNORE_FORMAT_NONLITERAL,
DIAG_POP_IGNORE_FORMAT_NONLITERAL): New macros.
* libpam/pam_handlers.c (_pam_open_config_file): Use them to exempt
usage of format string literals from a constant array.
* m4/warn_lang_flags.m4 (gl_WARN_ADD): Add -Wformat=2.
|
| |
|
|
|
|
|
|
|
|
| |
Apparently, the PAM_SHL variant cannot be compiled since the very first
commit back in 2005 when it was introduced, and another variant uses
PAM_DYLD which is virtually unknown to search engines.
* libpam/pam_dynamic.c [PAM_SHL || PAM_DYLD]: Remove.
Resolves: https://github.com/linux-pam/linux-pam/issues/477
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
files.
Fix undefined references to ${exec_prefix} in pkgconfig files on Guix.
The subsequent declarations of ${libdir} and ${includedir} in the same
files require this commit when ${prefix} is set to something other
than /usr.
When the pkgconfig files were initially provided, the two lines added
here were dropped for what seemed like a good reason. [1] In the
common case of a /usr prefix, 'configure.ac' sets ${libdir} and
possibly ${includedir} explicitly [2] so the additional lines were
then not needed.
Guix and probably Nix too, however, depart from the Filesystem
Hierarchy Standard and require the missing lines. Without those lines,
the pkgconfig files are defective on Guix. [3]
Since working systems are not affected, the lines are added for all.
The fix was confirmed for Guix. One of the files looked like this:
prefix=/gnu/store/3mcmjilqrivrpb3hvps32lnbnyrxrzr8-linux-pam-1.5.2-1.dc2f566
exec_prefix=${prefix}
libdir=${exec_prefix}/lib
includedir=/gnu/store/3mcmjilqrivrpb3hvps32lnbnyrxrzr8-linux-pam-1.5.2-1.dc2f566/include/security
Name: PAM
Description: The primary Linux-PAM library. It is used by PAM modules and PAM-aware applications.
URL: http://www.linux-pam.org/
Version: 1.5.2
Cflags: -I${includedir}
Libs: -L${libdir} -lpam
* libpam/pam.pc.in, libpamc/pamc.pc.in, libpam_misc/pam_misc.pc.in:
Add @prefix@ and @exec_prefix@.
Resolves: https://github.com/linux-pam/linux-pam/issues/466
[1] https://github.com/linux-pam/linux-pam/pull/369#discussion_r650557756
[2] https://github.com/linux-pam/linux-pam/blob/40c271164dbcebfc5304d0537a42fb42e6b6803c/configure.ac#L28-L36
[3] https://github.com/linux-pam/linux-pam/issues/466
|
| |
|
|
|
|
|
| |
* libpam/include/security/pam_modutil.h: Improve the
pam_modutil_search_key() interface documentation.
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
| |
* libpam/pam_handlers.c (_pam_add_handler): Use calloc instead of malloc
for struct handler allocation to avoid returning garbage in some fields
of the structure on error path.
Resolves: https://github.com/linux-pam/linux-pam/issues/475
|
| |
|
|
|
|
| |
* libpam/Makefile.am (libpam_la_LIBADD): Add @LTLIBINTL@.
Resolves: https://github.com/linux-pam/linux-pam/pull/433
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* .gitignore: Add .pc files as they are generated by autoconf.
* configure.ac: Generate .pc files for libpam, libpam_misc and libpamc.
* libpam/Makefile.am: Install pam.pc.
* libpam/pam.pc.in: New file.
* libpam_misc/Makefile.am: Install pam_misc.pc
* libpam_misc/pam_misc.pc.in: New file.
* libpamc/Makefile.am: Install pamc.pc
This allow applications and PAM modules to automatically find libpam,
libpam_misc and libpamc if they are installed instead of having to
manually search for them.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace the setgroups(0, NULL) call in pam_modutil_drop_priv() with a
call to initgroups(). This makes sure that the user's supplementary
groups are also configured. Fall back to setgroups(0, NULL) in case the
initgroups() call fails.
This fixes the permission check in pam_motd: this feature was intended
to allow setting permissions on a motd file to prevent it from being
shown to users who are not a member of a particular group (for example,
wheel).
Closes #292
|
| |
|
|
| |
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Found with AddressSanitzer in pam_wrapper tests.
==985738== 44 bytes in 4 blocks are definitely lost in loss record 18 of 18
==985738== at 0x4839809: malloc (vg_replace_malloc.c:307)
==985738== by 0x48957E1: _pam_strdup (pam_misc.c:129)
==985738== by 0x489851B: _pam_start_internal (pam_start.c:85)
==985738== by 0x4849C8C: libpam_pam_start_confdir (pam_wrapper.c:418)
==985738== by 0x484AF94: pwrap_pam_start (pam_wrapper.c:1461)
==985738== by 0x484AFEE: pam_start (pam_wrapper.c:1483)
==985738== by 0x401723: setup_noconv (test_pam_wrapper.c:189)
==985738== by 0x4889E82: ??? (in /usr/lib64/libcmocka.so.0.7.0)
==985738== by 0x488A444: _cmocka_run_group_tests (in /usr/lib64/libcmocka.so.0.7.0)
==985738== by 0x403EE5: main (test_pam_wrapper.c:1059)
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
|
| |
|
|
|
| |
libpam/pam_dispatch: remove store statement since the value is never
read.
|
| | |
|
| |
|
|
| |
This reverts commit 1b087edc7f05237bf5eccc405704cd82b848e761.
|
| |
|
|
|
|
|
| |
* libpam/include/pam_inline.h (pam_read_passwords): Increment pptr once
instead of using pptr+1 several times. This change is not expected
to affect the code generated by the compiler as the latter is likely
to perform the optimization itself.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
[ldv: rewrote commit message]
* modules/pam_unix/passverify.h (read_passwords): Remove prototype.
* modules/pam_unix/passverify.c (read_passwords): Move ...
* libpam/include/pam_inline.h: ... here, rename to pam_read_passwords,
add static inline qualifiers.
Include <unistd.h> and <errno.h>.
* modules/pam_unix/unix_chkpwd.c: Include "pam_inline.h".
(main): Replace read_passwords with pam_read_passwords.
* modules/pam_unix/unix_update.c: Include "pam_inline.h".
(set_password): Replace read_passwords with pam_read_passwords.
|
| |
|
|
|
|
| |
* libpam/pam_modutil_check_user.c (pam_modutil_check_user_in_passwd): Do
not exit the file reading loop when the user is found, continue reading
the file to avoid timing attacks.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
* modules/pam_localuser/pam_localuser.c: Include
<security/pam_modutil.h>.
(pam_sm_authenticate): Replace check_user_in_passwd with
pam_modutil_check_user_in_passwd.
(check_user_in_passwd): Rename to pam_modutil_check_user_in_passwd,
move to ...
* libpam/pam_modutil_check_user.c: ... new file.
* libpam/Makefile.am (libpam_la_SOURCES): Add pam_modutil_check_user.c.
* libpam/include/security/pam_modutil.h
(pam_modutil_check_user_in_passwd): New function declaration.
* libpam/libpam.map (LIBPAM_MODUTIL_1.4.1): New interface.
Co-authored-by: Dmitry V. Levin <ldv@altlinux.org>
|
| |
|
|
|
|
|
|
| |
Introduce a new internal header file for definitions of handy macros
providing convenient assertion testing functionality.
* libpam/include/test_assert.h: New file.
* libpam/Makefile.am (noinst_HEADERS): Add include/test_assert.h.
|
| |
|
|
|
|
|
|
|
|
| |
When the conversation function returned a value different from
PAM_CONV_AGAIN and provided no response, pam_get_user used to replace
the return value with PAM_CONV_ERR. Fix this and replace the return
value only if it was PAM_SUCCESS.
* libpam/pam_item.c (pam_get_user): Do not override valid values
returned by the conversation function.
|
| |
|
|
|
|
|
|
|
|
| |
Do not assume that the conversation function provided by the application
strictly follows the return values guidelines, replace undocumented
return values with PAM_CONV_ERR.
* libpam/pam_item.c (pam_get_user): If the value returned by the
conversation function is not one of PAM_SUCCESS, PAM_BUF_ERR,
PAM_CONV_AGAIN, or PAM_CONV_ERR, replace it with PAM_CONV_ERR.
|
