| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| | |
|
| |
|
|
|
|
|
| |
Since the struct member user might be NULL use the same condition for
the value as for the preceding key.
Reported-by: Yugend
|
| |
|
|
|
|
|
|
| |
Untangle two distinct strings to simplify their usage.
Check for allocation failure of the second one.
Fix double-free of the second one in the error branch in line 692.
Reported-by: Yugend
|
| |
|
|
|
| |
On asprintf(3) failure the value of the first argument is undefined.
Set to NULL to avoid UB on cleanup.
|
| |
|
|
|
|
|
| |
The line itself is modified while parsing its content. Print the line
number and file name instead so an administrator can investigate it.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
Trim all whitespaces before and after value.
Resolves: https://github.com/linux-pam/linux-pam/pull/760
Fixes: eec4358a49dc ("pam_limits: avoid sscanf in parse_config_file")
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The pam_assemble_line function is renamed to pam_line_assemble and
moved into libpam_internal so it can be shared across libpam and the
pam_env module.
Applied renaming to all other relevant functions and data structures
so it is easier to locate them in files.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The geteuid check does not cover all cases. If a program runs with
elevated capabilities like CAP_SETUID then we can still check
credentials of other users.
Keep logging for future analysis though.
Resolves: https://github.com/linux-pam/linux-pam/issues/747
Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
| |
Move function bodies from headers into dedicated object files stored in
libpam_internal. This library won't be installed.
Keep the debug function body in header, even though disabled when
building Linux-PAM, to stay API compatible with previous versions.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
| |
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
Use strtoll to support up to 64 bit on 32 bit systems, although only up
to 32 unsigned bits are used. The strtoul function exists but converts
negative numbers to positive ones without any form of warning.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
The pam client library libpamc is only needed if libpam_misc is in use.
But libpam_misc is only used by an SELinux helper binary.
Remove the libpamc includes from the search path in all other cases.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
| |
The struct crypt_data has the size of 32768 bytes, thus allocate it on
the heap for portability.
|
| |
|
|
| |
Clease the crypt data to avoid any potential information leakage.
|
| |
|
|
|
| |
Cleanse the crypt data also in the failure branch to sanitize in case of
partial data being written.
|
| |
|
|
| |
The manual page of crypt_r(3) recommends to zero the entire data object.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix the following warning reported by gcc on 32bit platforms:
pam_faildelay.c: In function 'pam_sm_authenticate':
pam_faildelay.c:104:34: error: comparison of integer expressions of different signedness: 'long int' and 'unsigned int' [-Werror=sign-compare]
104 | if (delay < 0 || delay > UINT_MAX)
| ^
pam_faildelay.c:123:32: error: comparison of integer expressions of different signedness: 'long int' and 'unsigned int' [-Werror=sign-compare]
123 | if (delay < 0 || delay > UINT_MAX / S_TO_MICROS)
| ^
* modules/pam_faildelay/pam_faildelay.c (pam_sm_authenticate): Cast
"delay" to "unsigned long" in comparisons with unsigned int.
Fixes: dd87776d3683 ("pam_faildelay: validate parameter ranges")
|
| |
|
|
|
|
|
|
|
| |
Given that sed is considered a more lightweight dependency than awk,
and since sed is used by pam_namespace_helper anyway, use sed instead of
awk in namespace.init as well.
* modules/pam_namespace/namespace.init: Use sed instead of awk to obtain
the UMASK value from /etc/login.defs.
|
| |
|
|
|
|
|
|
|
| |
Later checks will print a warning if daysleft is 0. If password
aging is disabled, leave daysleft at -1.
Resolves: https://github.com/linux-pam/linux-pam/issues/743
Fixes: 9ebc14085a3b ("pam_unix: allow disabled password aging")
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
| |
The libeconf routines do not remove escaped newlines the way we want to
process them later on. Manually remove them from values.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Resolves: https://github.com/linux-pam/linux-pam/issues/738
Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
|
| |
|
|
|
|
|
|
|
| |
* modules/pam_env/pam_env.c (_parse_config_file) [!USE_ECONF &&
VENDOR_DEFAULT_CONF_FILE]: Do not fallback to vendor pam_env.conf file
if the config file is specified via module arguments.
Link: https://github.com/linux-pam/linux-pam/issues/738
Fixes: v1.5.3~69 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
|
| |
|
|
|
|
|
|
|
| |
The VENDORDIR define has to be checked after config.h
inclusion, otherwise the ifdef test always yields false.
Fixes: 6135c45347b6 ("pam_env: Use vendor specific pam_env.conf and environment as fallback")
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pam_namespace.c makes use of SIZE_MAX but doesn't include stdint.h,
resulting in the following build failures on 1.6.0:
pam_namespace.c: In function 'process_line':
pam_namespace.c:649:41: error: 'SIZE_MAX' undeclared (first use in this function)
649 | if (count > UINT_MAX || count > SIZE_MAX / sizeof(uid_t)) {
| ^~~~~~~~
pam_namespace.c:41:1: note: 'SIZE_MAX' is defined in header '<stdint.h>'; did you forget to '#include <stdint.h>'?
40 | #include "argv_parse.h"
+++ |+#include <stdint.h>
41 |
pam_namespace.c:649:41: note: each undeclared identifier is reported only once for each function it appears in
649 | if (count > UINT_MAX || count > SIZE_MAX / sizeof(uid_t)) {
| ^~~~~~~~
Fixes: v1.6.0~100 ("pam_namespace: validate amount of uids in config")
Resolves: https://github.com/linux-pam/linux-pam/issues/733
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Without O_DIRECTORY the path crawling logic is subject to e.g. FIFOs
being placed in user controlled directories, causing the PAM module to
block indefinitely during `openat()`.
Pass O_DIRECTORY to cause the `openat()` to fail if the path does not
refer to a directory.
With this the check whether the final path element is a directory
becomes unnecessary, drop it.
|
| |
|
|
|
|
| |
The option file points to a file, not a directory.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| | |
|
| |
|
|
|
|
|
| |
Removes its usage from check_old_pass and reduces its
visibility in save_old_pass.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
| |
Users may have a hash character in their name, which would be removed.
This in turn effectively defeats the purpose of pam_pwhistory for the
user.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
The opasswd file shall not use comma as a separator. Enforce colon just
like pam_pwhistory does as well.
A comma can be part of a user name, although its usage is discouraged.
If such a user exists, it could happen that stored passwords of another
user are checked.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Replace
while (getline(...) != -1 && retval)
with
while (retval && getline(...) != -1)
* modules/pam_listfile/pam_listfile.c (pam_listfile): Do not invoke
getline(3) when its result is going to be ignored.
* modules/pam_securetty/pam_securetty.c (securetty_perform_check):
Likewise.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Since the module operates on sensitive files set the close-on-exec flag,
to avoid file descriptor leaks if there is ever any sibling thread.
The fopen(3) mode "e" is supported in glibc since version 2.7 (released
in 2007), and ignored prior, see:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=65d834b0add966dbbdb5ed1e916c60b2b2d87f10
|
| |
|
|
|
|
|
|
|
|
|
| |
In case unix_chkpwd(8) is not a setuid but a setgid binary, reset to the
real group as well.
Also check the privileges are permanently lost, see:
https://wiki.sei.cmu.edu/confluence/display/c/POS37-C.+Ensure+that+privilege+relinquishment+is+successful
See also the current Debian patch:
https://sources.debian.org/src/pam/1.5.2-9.1/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch/
|
| |
|
|
|
|
| |
In case unix_update(8) is installed as a setuid binary, which Fedora and
Debian does not do, prevent unprivileged users to probe (and eventually
change) passwords of other users (including root).
|
| |
|
|
|
|
|
| |
Emit audit reports in the helper unix_update(8) about abnormal
executions, unprivileged authentications, and password updates.
Also log unprivileged authentication failures to syslog.
|
| |
|
|
|
| |
Split the audit logging code into a separate file, to be reused by
unix_update(8).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The returned value stored in pwd from _unix_getpwnam is inserted into
pam handler through pam_set_data. Do not manually free the value.
Also check getline return value for != -1 instead of == -1.
Fixes 8f2ca5919b26843ef774ef0aeb9bf261dec943a0 and
73d009e9ea8edafc18c7fe3650b25dd6bdce88c1. No release affected.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
Disable code to run helper binary if SELinux is not enabled.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Apply the same logic of pam_unix Makefile adjustment for
pw_history as well. Reference commit is
cb9f88ba944d56c0b6c65be18500f7d56c9f514c.
The helper pwhistory_helper(8) is only called from code enabled when
SELinux support is enabled.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
| |
Instead of annotating the function definition with the format attribute
annotate the declaration, so the annotation is visible at call sites.
|
| |
|
|
|
| |
Instead of annotating the function definition with the format attribute
annotate the declaration, so the annotation is visible at call sites.
|
| |
|
|
|
|
| |
Cover previous changes with unit test.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
| |
If an empty string is encountered, do not treat it as 0. Instead,
return PAM_SERVICE_ERR as specified in comment.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Fields are currently written to stack buffer, even if they already
exist in heap. Just reference them in this case. If numbers have to be
stored as a string, use a stack buffer sufficiently large for the
long long conversion (64 bit).
Also adjust the "left != buf" check to allow this change. It is simply
the else-statement to previous if-else-if-block, because in every other
case left is set to buf.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
| |
|
|
|
|
| |
These are leftovers from fgets usages.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
