aboutsummaryrefslogtreecommitdiff
path: root/modules/pam_unix
Commit message (Collapse)AuthorAgeFilesLines
* pam_unix: drop cast to same typeChristian Göttsche2024-02-221-1/+1
|
* pam_unix: avoid string formatting of NULLChristian Göttsche2024-02-221-2/+3
| | | | | | | Since the struct member user might be NULL use the same condition for the value as for the preceding key. Reported-by: Yugend
* pam_unix: try to set uid to 0 for unix_chkpwdTobias Stoeckmann2024-01-242-15/+16
| | | | | | | | | | | | | The geteuid check does not cover all cases. If a program runs with elevated capabilities like CAP_SETUID then we can still check credentials of other users. Keep logging for future analysis though. Resolves: https://github.com/linux-pam/linux-pam/issues/747 Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries") Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* libpam_internal: supply debug functionalityTobias Stoeckmann2024-01-241-4/+7
| | | | | | | | | | Move function bodies from headers into dedicated object files stored in libpam_internal. This library won't be installed. Keep the debug function body in header, even though disabled when building Linux-PAM, to stay API compatible with previous versions. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* modules: add pamc headers to the search path only when neededTobias Stoeckmann2024-01-211-1/+1
| | | | | | | | | The pam client library libpamc is only needed if libpam_misc is in use. But libpam_misc is only used by an SELinux helper binary. Remove the libpamc includes from the search path in all other cases. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: cleanse crypt dataChristian Göttsche2024-01-211-0/+1
| | | | | Cleanse the crypt data also in the failure branch to sanitize in case of partial data being written.
* modules: zero out crypt_r(3) data before usageChristian Göttsche2024-01-212-6/+3
| | | | The manual page of crypt_r(3) recommends to zero the entire data object.
* pam_unix: do not warn if password aging is disabledTobias Stoeckmann2024-01-191-1/+0
| | | | | | | | | Later checks will print a warning if daysleft is 0. If password aging is disabled, leave daysleft at -1. Resolves: https://github.com/linux-pam/linux-pam/issues/743 Fixes: 9ebc14085a3b ("pam_unix: allow disabled password aging") Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: fix typos in commentsChristian Göttsche2024-01-162-2/+2
|
* pam_unix: do not allow comma as a field separatorTobias Stoeckmann2024-01-162-9/+8
| | | | | | | | | | | The opasswd file shall not use comma as a separator. Enforce colon just like pam_pwhistory does as well. A comma can be part of a user name, although its usage is discouraged. If such a user exists, it could happen that stored passwords of another user are checked. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: declare read-only data array constChristian Göttsche2024-01-151-1/+1
|
* pam_unix: log about failure to execute unix_chkpwd(8)Christian Göttsche2024-01-151-1/+1
|
* pam_unix: clean additional possible sensitive buffersChristian Göttsche2024-01-153-2/+7
|
* pam_unix: use more appropriate typesChristian Göttsche2024-01-152-5/+5
|
* pam_unix: retain const qualifierChristian Göttsche2024-01-151-6/+6
|
* pam_unix: enclose macro argumentsChristian Göttsche2024-01-151-3/+3
|
* pam_unix: set close-on-execChristian Göttsche2024-01-154-24/+13
| | | | | | | | | Since the module operates on sensitive files set the close-on-exec flag, to avoid file descriptor leaks if there is ever any sibling thread. The fopen(3) mode "e" is supported in glibc since version 2.7 (released in 2007), and ignored prior, see: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=65d834b0add966dbbdb5ed1e916c60b2b2d87f10
* pam_unix: support setgid version of unix_chkpwd(8)Christian Göttsche2024-01-151-2/+7
| | | | | | | | | | | In case unix_chkpwd(8) is not a setuid but a setgid binary, reset to the real group as well. Also check the privileges are permanently lost, see: https://wiki.sei.cmu.edu/confluence/display/c/POS37-C.+Ensure+that+privilege+relinquishment+is+successful See also the current Debian patch: https://sources.debian.org/src/pam/1.5.2-9.1/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch/
* pam_unix: reject unix_update(8) running on different unprivileged userChristian Göttsche2024-01-151-3/+13
| | | | | | In case unix_update(8) is installed as a setuid binary, which Fedora and Debian does not do, prevent unprivileged users to probe (and eventually change) passwords of other users (including root).
* pam_unix: add audit support to unix_update(8)Christian Göttsche2024-01-152-1/+18
| | | | | | | Emit audit reports in the helper unix_update(8) about abnormal executions, unprivileged authentications, and password updates. Also log unprivileged authentication failures to syslog.
* pam_unix: refactor audit loggingChristian Göttsche2024-01-155-36/+61
| | | | | Split the audit logging code into a separate file, to be reused by unix_update(8).
* pam_unix: fix regressionsTobias Stoeckmann2024-01-152-2/+1
| | | | | | | | | | | | The returned value stored in pwd from _unix_getpwnam is inserted into pam handler through pam_set_data. Do not manually free the value. Also check getline return value for != -1 instead of == -1. Fixes 8f2ca5919b26843ef774ef0aeb9bf261dec943a0 and 73d009e9ea8edafc18c7fe3650b25dd6bdce88c1. No release affected. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: annotate declaration with format attributeChristian Göttsche2024-01-152-1/+1
| | | | | Instead of annotating the function definition with the format attribute annotate the declaration, so the annotation is visible at call sites.
* treewide: strictly separate builddir and srcdirTobias Stoeckmann2024-01-121-1/+1
| | | | | | | | | | Building outside of source directory fails if --disable-doc is not explicitly chosen. This happens because generated files are sometimes expected in the source directory, where they won't exist. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: build unix_update only with SELinux enabledChristian Göttsche2024-01-081-3/+16
| | | | | The helper unix_update(8) is only called from code enabled when SELinux support is enabled.
* pam_unix: fix memory leakChristian Göttsche2024-01-081-0/+1
| | | | | | | | The the allocated line buffer on success. Reported by GCC analyzer. Fixes: 4a2d60e9 ("pam_unix: use getline in _unix_getpwnam")
* pam_unix: do not truncate user namesTobias Stoeckmann2024-01-082-6/+2
| | | | | | | | | | | | | | | | This could allow users with very long names to impersonate a user with a 255 characters long name. The check if the argument argv[1] actually matches the user name implies that "user" can unconditionally be set to argv[1]: If they are equal, the strings are obviously equal. If they are not or if null is returned by getuidname, "user" is set to argv[1] anyway. This way, the static buffer can be safely removed because the result of getpwuid() is not stored, which means that subsequent calls to such functions can safely overwrite their internal buffers. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: fix typos in manual pageTobias Stoeckmann2024-01-051-3/+3
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix/passverify: always run the helper to obtain shadow password file ↵Dmitry V. Levin2024-01-041-10/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | entries Initially, when pam_unix.so verified the password, it used to try to obtain the shadow password file entry for the given user by invoking getspnam(3), and only when that didn't work and the effective uid was nonzero, pam_unix.so used to invoke the helper as a fallback. When SELinux support was introduced by commit 67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended also for the case when SELinux was enabled. Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the fallback conditions for the case when pam_modutil_getspnam() failed with EACCES. Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is invoked as a fallback when pam_modutil_getspnam() fails for any reason. The ultimate solution for the case when pam_unix.so does not have permissions to obtain the shadow password file entry is to stop trying to use pam_modutil_getspnam() and to invoke the helper instead. Here are two recent examples. https://github.com/linux-pam/linux-pam/pull/484 describes a system configuration where libnss_systemd is enabled along with libnss_files in the shadow entry of nsswitch.conf, so when libnss_files is unable to obtain the shadow password file entry for the root user, e.g. when SELinux is enabled, NSS falls back to libnss_systemd which returns a synthesized shadow password file entry for the root user, which in turn locks the root user out. https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes essentially the same problem in a similar system configuration. This commit is the final step in the direction of addressing the issue: for password verification pam_unix.so now invokes the helper instead of making the pam_modutil_getspnam() call. * modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]: Always return PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file entry. Complements: https://github.com/linux-pam/linux-pam/pull/386 Resolves: https://github.com/linux-pam/linux-pam/pull/484 Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92
* pam_unix: use getlineTobias Stoeckmann2024-01-032-4/+8
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: reduce variable visibilityTobias Stoeckmann2024-01-031-3/+7
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: calculate user length only if neededTobias Stoeckmann2024-01-031-3/+4
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: use getline in _unix_getpwnamTobias Stoeckmann2024-01-031-12/+18
| | | | | | Use getline instead of fgets to allow arbitrarily long lines. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: unify error handlingTobias Stoeckmann2024-01-031-15/+14
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: use calloc instead of malloc/memsetTobias Stoeckmann2024-01-031-2/+1
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: use size_t instead of int for sizesTobias Stoeckmann2024-01-031-5/+5
| | | | | | | Also rename buflen to retlen, since it is not associated with the variable buf, but ret. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: avoid reading uninitialized variableTobias Stoeckmann2024-01-031-10/+8
| | | | | | | | | | | | | | | | | | | | | The function _unix_comesfromsource calls _unix_getpwnam internally. When changing the authentication token, it is first called to read local passwd file and optionally contacting NIS. If an entry is found, _unix_getpwnam is called, this time definitely reading passwd file and contacting NIS (if support exists) and parsing the entry. This is meant to check if the entry is not just available but also valid. Since the return value of _unix_getpwnam is not checked and the supplied pointer is only set in case of success, the check for a NULl pointer afterwards can lead to undefined behavior. It is easier to call _unix_getpwnam directly, check its return value and then check if the entry could be parsed. This in turn reduces the amount of /etc/passwd accesses (and fixes a theoretical TOCTOU race). Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* unix_chkpwd, unix_update: Use exit codes 128+ on signalsSolar Designer2023-12-291-1/+1
|
* treewide: use asprintf to construct stringsTobias Stoeckmann2023-12-192-17/+10
| | | | | | | | The asprintf function is considered as given for current code already. Use it instead of calling malloc + strcpy + strcat manually. Reported-by: Benny Baumann <BenBE@geshi.org> Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: fix typos in comments and documentationTobias Stoeckmann2023-12-184-4/+4
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: store strlen results in size_tTobias Stoeckmann2023-12-141-1/+1
| | | | | | | Very long strings could overflow the int data type. Make sure to use the correct data type. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: assume free(NULL) is no-opDmitry V. Levin2023-12-141-2/+1
| | | | | The C standard guarantees that if the argument of free() is a null pointer, no action occurs.
* pam_unix: sp_min and sp_warn must be at least 1Tobias Stoeckmann2023-12-121-2/+2
| | | | | | | If sp_min or sp_warn are set to 0 or empty (-1), then their respective features are disabled according to shadow(5). Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: allow disabled password agingTobias Stoeckmann2023-12-121-0/+5
| | | | | | | | | According to shadow(5) manual page, an empty sp_lstchg field implies that password aging is disabled. This indeed is in sync with shadow's isexpired function. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: sync expiry checks with shadowTobias Stoeckmann2023-12-121-3/+3
| | | | | | | | | | | The shadow library uses "greater than or equal to" checks instead of current "greater than" checks in pam_unix. The account expiry check is already "greater than or equal to" so this adjustment can even be argued without making references to other projects. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: simplify save_old_passwordTobias Stoeckmann2023-12-121-13/+7
| | | | | | | | The combination of snprintf and fputs is not needed. It is possible to call fprintf directly. The previously ignored return value of snprintf is covered this way as well. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: fix possible shadow signed overflowsTobias Stoeckmann2023-12-111-20/+41
| | | | | | | | | | | | | | | | | | It is possible to trigger signed integer overflows in check_shadow_expiry if /etc/shadow contains very large values. Since these values have to be set by a system administrator, it would already count as a configuration error. Yet, avoid overflows which would consider accounts which are supposed to be valid for a veeery long time as already invalid. Also, it would be undefined behavior for almost all C standards. Also consider every negative value as invalid, not just -1. The shadow project has different ways of handling these values, but this approach is in sync with its lib/isexpired.c implementation. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: check str to integer conversionsTobias Stoeckmann2023-12-112-17/+53
| | | | | | Print an error in syslog if an integer could not be converted. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: use correct number of roundsTobias Stoeckmann2023-12-111-16/+15
| | | | | | | | | | | | | | | | It is possible to have a mismatch between ENCRYPT_METHOD in login.defs and an argument given specifically to pam_unix.so. If pam_unix.so receives the argument "yescrypt" but ENCRYPT_METHOD is set to SHA512, then SHA_CRYPT_MAX_ROUNDS is parsed from login.defs and used as rounds for yescrypt -- except if rounds are specificially given as an argument to pam_unix.so as well. Read the correct rounds from login.defs after all arguments are parsed and no rounds were specified to figure out which one will eventually be used. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: handle invalid names in _unix_getpwnamTobias Stoeckmann2023-12-071-2/+3
| | | | | | | | | | | | It is possible to trigger an out of boundary read with very long usernames (strlen's result is stored in an int) or, with even longer usernames, match other users with same prefix. This would mean that roott[and lots of t's following] could match root user. Also do not allow ':' in names when iterating through the passwd file this way. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-16 01:20:31 +0000