| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
There is no point in supporting two different build systems.
|
| |
|
|
|
|
|
|
|
|
| |
On my non-representative hardware, the full build using autotools
(./autogen.sh && CFLAGS=-O2 ./configure && make -j`nproc` && make -j`nproc` install)
takes about 45 seconds.
On the same hardware, the full build using meson
(meson setup -Doptimization=2 dir && meson compile -C dir && meson install -C dir)
takes just about 7.5 seconds.
|
| |
|
|
| |
Make sure that config.h is included before any system header.
|
| |
|
|
|
| |
... for the same reason SCONFIGDIR config.h macro was renamed to
SCONFIG_DIR.
|
| |
|
|
|
|
|
| |
This way it is visibly different from the configure variable SCONFIGDIR,
which is helpful, because their values are slightly different:
the macro is quoted while the configure variable is not quoted,
and this difference may cause problems with other build systems.
|
| |
|
|
| |
Log in case the current fscreate context could not be retrieved.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_namespace/pam_namespace.c (create_polydir) [WITH_SELINUX]:
Free SELinux context in case of an error.
```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1433: alloc_arg: "getfscreatecon_raw" allocates memory that is stored into "oldcon_raw".
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1462: leaked_storage: Variable "oldcon_raw" going out of scope leaks the storage it points to.
1460| pam_syslog(idata->pamh, LOG_ERR,
1461| "Error creating directory %s: %m", dir);
1462|-> return PAM_SESSION_ERR;
1463| }
1464|
```
Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* modules/pam_namespace/pam_namespace.c [WITH_SELINUX] (form_context):
Free SELinux context before returning.
```
Error: RESOURCE_LEAK (CWE-772):
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:928: alloc_arg: "getexeccon" allocates memory that is stored into "scon".
Linux-PAM-1.6.0/modules/pam_namespace/pam_namespace.c:1004: leaked_storage: Variable "scon" going out of scope leaks the storage it points to.
1002| }
1003| /* Should never get here */
1004|-> return PAM_SUCCESS;
1005| }
1006| #endif
```
Resolves: https://issues.redhat.com/browse/RHEL-36475
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The pam client library libpamc is only needed if libpam_misc is in use.
But libpam_misc is only used by an SELinux helper binary.
Remove the libpamc includes from the search path in all other cases.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
Given that sed is considered a more lightweight dependency than awk,
and since sed is used by pam_namespace_helper anyway, use sed instead of
awk in namespace.init as well.
* modules/pam_namespace/namespace.init: Use sed instead of awk to obtain
the UMASK value from /etc/login.defs.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_namespace.c makes use of SIZE_MAX but doesn't include stdint.h,
resulting in the following build failures on 1.6.0:
pam_namespace.c: In function 'process_line':
pam_namespace.c:649:41: error: 'SIZE_MAX' undeclared (first use in this function)
649 | if (count > UINT_MAX || count > SIZE_MAX / sizeof(uid_t)) {
| ^~~~~~~~
pam_namespace.c:41:1: note: 'SIZE_MAX' is defined in header '<stdint.h>'; did you forget to '#include <stdint.h>'?
40 | #include "argv_parse.h"
+++ |+#include <stdint.h>
41 |
pam_namespace.c:649:41: note: each undeclared identifier is reported only once for each function it appears in
649 | if (count > UINT_MAX || count > SIZE_MAX / sizeof(uid_t)) {
| ^~~~~~~~
Fixes: v1.6.0~100 ("pam_namespace: validate amount of uids in config")
Resolves: https://github.com/linux-pam/linux-pam/issues/733
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
being placed in user controlled directories, causing the PAM module to
block indefinitely during `openat()`.
Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
refer to a directory.
With this the check whether the final path element is a directory
becomes unnecessary, drop it.
|
| |
|
|
|
|
|
|
|
|
| |
Building outside of source directory fails if --disable-doc is not
explicitly chosen.
This happens because generated files are sometimes expected in the
source directory, where they won't exist.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If more than INT_MAX uids are found in a configuration line, the
variable `count` would trigger a signed integer overflow.
If more than UINT_MAX uids are found in a configuration line, then
the `num_uids` counter is invalid, which could eventually lead to out
of boundary accesses.
Also make sure that size multiplication for malloc does not overflow.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Currently the `rm` subprocess and the namespace init script inherit a
random set of open file descriptors from the process running PAM.
Depending on the actual PAM stack configuration these can even be
security sensitive files. In any case it is unclean to inherit
unexpected open file descriptors to child processes like this.
To address this close all file descriptors except stdio before executing
a new program.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
If a line in namespace.conf only consists of one field then the error
handling logic in process_line() ends up in a double-free, resulting in
a process abort in libc.
It looks like instead of NULLing the `dir` variable, the
`instance_prefix` is NULLed, without purpose. Fix this.
|
| |
|
|
|
|
|
|
| |
The asprintf function is considered as given for current code already.
Use it instead of calling malloc + strcpy + strcat manually.
Reported-by: Benny Baumann <BenBE@geshi.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
| |
Suggested-by: Benny Baumann <BenBE@geshi.org>
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
Typos found with codespell
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
If a lot of arguments are found in a namespace.conf file, argc might
overflow, which is an undefined behavior.
In most cases, the realloc will instantly fail due to a wrap around.
Protect properly by avoiding the calculation in the first place.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
Very long strings could overflow the int data type. Make sure to use
the correct data type.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
| |
The C standard guarantees that if the argument of free() is a null
pointer, no action occurs.
|
| |
|
|
|
|
|
| |
It is not required to cast the results of calloc, malloc,
realloc, etc.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
Character handling functions, like isspace(3), expect a value
representable as unsigned char or equal to EOF. Otherwise the behavior
is undefined.
See https://wiki.sei.cmu.edu/confluence/display/c/STR37-C.+Arguments+to+character-handling+functions+must+be+representable+as+an+unsigned+char
|
| |
|
|
|
|
|
|
| |
GCC and Clang only define the macro `linux` when using the GNU dialect
of C (e.g. -std=gnu11 instead of -std=c11). Since `linux` is also not
in a reserved namespace it might be target of collisions.
Use the canonical macro `__linux__` instead (already used in
pam_limits.c).
|
| |
|
|
| |
This should fix shellcheck warning SC2004.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use empty initialization of structs to minimize the memset() usage, to
reduce the amount of calls which are not sensitive.
Non trivial changes:
- pam_env:
* erase environment variables where possible
- pam_exec:
* erase responce on error
* erase auth token
- pam_pwhistory:
* erase buffers containing old passwords
- pam_selinux: skip overwriting data structure consisting of only
pointers to insensitive data, which also gets free'd afterwards (so
it currently does not protect against double-free or use-after-free on
the member pointers)
- pam_unix: erase cipher data in more places
- pam_userdb: erase password hashes
|
| |
|
|
|
|
|
|
|
| |
Otherwise the corresponding files are still installed in /etc/security.
* configure.ac (AC_SUBST): Add VENDOR_SCONFIGDIR.
(AM_CONDITIONAL): Add HAVE_VENDORDIR.
* modules/*/Makefile.am (secureconfdir): Set to VENDOR_SCONFIGDIR
if HAVE_VENDORDIR has been set, otherwise to SCONFIGDIR.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changed files
--------------
Make.xml.rules.in:
- Using RNG file instead of DTD file for checking XML files.
- Taking the correct stylesheet for README files.
doc/sag/Makefile.am, doc/adg/Makefile.am, doc/mwg/Makefile.am:
- Using RNG file instead of DTD file for checking XML files.
configure.ac:
- Adding a new option for selecting RNG check file (-enable-docbook-rng)
- Switching stylesheets to docbook 5
- Checking DocBook 5 environment instead of DocBook 4 environment
*.xml:
Update from DockBook 4 to DocBook 5
|
| |
|
|
|
|
| |
* modules/pam_namespace/pam_namespace.c (inst_init): Make sure
the SIGCHLD handler is not reset too early by moving the sigaction
call right before the fork call.
|
| |
|
|
|
|
|
|
|
|
| |
Use the vendor directory as fallback for a distribution provided default
config and scripts if there is no configuration in /etc.
pam_namespace.c: Take care about the fallback configuration in vendor directory.
pam_namespace.h: Define vendor specific files and directories.
pam_namespace.8.xml: Add description for vendor directories and files.
namespace.conf.5.xml: Add description for vendor directories and files.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use SCONFIGDIR macro instead of open-coding "/etc/security",
the latter is not correct when configured using --enable-sconfigdir
with an argument different from /etc/security.
* modules/pam_faillock/faillock.h (FAILLOCK_DEFAULT_CONF): Use
SCONFIGDIR.
* modules/pam_namespace/pam_namespace.h (SECURECONF_DIR): Remove.
(PAM_NAMESPACE_CONFIG, NAMESPACE_INIT_SCRIPT, NAMESPACE_D_DIR,
NAMESPACE_D_GLOB): Use SCONFIGDIR.
* modules/pam_namespace/Makefile.am (AM_CFLAGS): Remove
-DSECURECONF_DIR.
* modules/pam_pwhistory/opasswd.c (OLD_PASSWORDS_FILE): Use SCONFIGDIR.
* modules/pam_unix/passverify.h: Likewise.
* modules/pam_unix/passverify.c (OPW_TMPFILE): Use SCONFIGDIR.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
* Add this option to support the following scenario:
prefix = '/usr'
servicedir = '/lib/systemd/system'
* The default behavior is changed:
If this option is not given, servicedir will be set to the value that is
obtained from systemd pkg-config file. If the value cannot be obtained,
servicedir will be set to the default value '$(prefix)/lib/systemd/system'.
Signed-off-by: Changqing Li <changqing.li@windriver.com>
|
| |
|
|
|
|
|
|
|
|
| |
Check for the unlikely case string_to_security_class() does not find the
associated SELinux security class.
This will only happen if the loaded SELinux policy does not define the
class "dir" (which no sane policy does) or querying the selinuxfs
fails.
Suggested by #309
|
| |
|
|
|
|
|
| |
modules/pam_namespace/pam_namespace.8.xml: delete obsolete information
about polyinstantiation and refer to gdm's documentation.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1861841
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Apparently, gcc is also not smart enough to infer the alignment
of structure fields, for details see
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=89133
Use unions to avoid these casts altogether, this fixes compilation
warnings reported by gcc on arm, e.g.:
md5.c: In function 'MD5Update':
md5.c:92:35: error: cast increases required alignment of target type [-Werror=cast-align]
92 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
| ^
md5.c:101:35: error: cast increases required alignment of target type [-Werror=cast-align]
101 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
| ^
md5.c: In function 'MD5Final':
md5.c:136:35: error: cast increases required alignment of target type [-Werror=cast-align]
136 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
| ^
md5.c:147:9: error: cast increases required alignment of target type [-Werror=cast-align]
147 | memcpy((uint32 *)ctx->in + 14, ctx->bits, 2*sizeof(uint32));
| ^
md5.c:149:34: error: cast increases required alignment of target type [-Werror=cast-align]
149 | MD5Name(MD5Transform)(ctx->buf, (uint32 *) ctx->in);
| ^
* modules/pam_namespace/md5.h (struct MD5Context): Replace "buf" and
"in" fields with unions. All users updated.
* modules/pam_unix/md5.h (struct MD5Context): Likewise.
* modules/pam_timestamp/sha1.h (struct sha1_context.pending): Replace
with a union. All users updated.
Complements: v1.4.0~195 ("Fix most of clang -Wcast-align compilation warnings")
|
| |
|
|
|
|
|
| |
* modules/pam_namespace/md5.c: Do not check against the list of
architectures that are known to be little-endian, instead check
for WORDS_BIGENDIAN macro defined by AC_C_BIGENDIAN autoconf macro
on big-endian platforms.
|
| |
|
|
|
|
|
| |
These retrieved contexts are just passed to libselinux functions and not
printed or otherwise made available to the outside, so a context
translation to human readable MCS/MLS labels is not needed.
(see man:setrans.conf(5))
|
| |
|
|
|
| |
The matchpathcon family is deprecated.
Use the selabel family.
|
| |
|
|
|
| |
libselinux 3.1 deprecated the typedef security_context_t.
Use the underlaying type.
|
| |
|
|
|
|
|
|
|
|
|
| |
[ldv: rewrote commit message]
* modules/pam_mkhomedir/mkhomedir_helper.c (create_homedir): Close just
opened file descriptor "srcfd" in an unlikely case when it cannot be
fstat'ed.
* modules/pam_namespace/pam_namespace.c (create_instance): Close just
opened file descriptor "fd" in an unlikely case when it cannot be
fstat'ed.
|
| |
|
|
|
|
| |
* modules/pam_namespace/.gitignore: Add pam_namespace.service.
Complements: v1.4.0~247 ("pam_namespace: secure tmp-inst directories")
|
| | |
|
| |
|
|
|
|
|
|
| |
... and remove $(TESTS) from EXTRA_DIST.
The change is performed automatically using the following script:
sed -i -e 's/^TESTS = \(tst.*\)/dist_check_SCRIPTS = \1\nTESTS = $(dist_check_SCRIPTS)/' \
-e '/^EXTRA_DIST/ s/ \$(TESTS)//' modules/*/Makefile.am
|
