aboutsummaryrefslogtreecommitdiff
path: root/modules
Commit message (Collapse)AuthorAgeFilesLines
* pam_debug: simplify state functionTobias Stoeckmann2024-01-121-8/+2
| | | | | | The return value of function state is never checked. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: fix Makefile.am dependenciesTobias Stoeckmann2024-01-121-1/+1
| | | | | | Comply with doc/man and enforce that pam_env.conf.5 does exist. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: strictly separate builddir and srcdirTobias Stoeckmann2024-01-1245-45/+45
| | | | | | | | | | Building outside of source directory fails if --disable-doc is not explicitly chosen. This happens because generated files are sometimes expected in the source directory, where they won't exist. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: build unix_update only with SELinux enabledChristian Göttsche2024-01-081-3/+16
| | | | | The helper unix_update(8) is only called from code enabled when SELinux support is enabled.
* pam_unix: fix memory leakChristian Göttsche2024-01-081-0/+1
| | | | | | | | The the allocated line buffer on success. Reported by GCC analyzer. Fixes: 4a2d60e9 ("pam_unix: use getline in _unix_getpwnam")
* pam_unix: do not truncate user namesTobias Stoeckmann2024-01-082-6/+2
| | | | | | | | | | | | | | | | This could allow users with very long names to impersonate a user with a 255 characters long name. The check if the argument argv[1] actually matches the user name implies that "user" can unconditionally be set to argv[1]: If they are equal, the strings are obviously equal. If they are not or if null is returned by getuidname, "user" is set to argv[1] anyway. This way, the static buffer can be safely removed because the result of getpwuid() is not stored, which means that subsequent calls to such functions can safely overwrite their internal buffers. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_access: avoid group name truncationTobias Stoeckmann2024-01-081-7/+5
| | | | | | | | If a very long group name is supplied, do not truncate it. It is safe to work directly on the supplied token, which is also already done in user_match, from where group_match is also called. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_limits: prevent overflow with very long lineTobias Stoeckmann2024-01-081-6/+11
| | | | | | | | The strcpy is not safe anymore because input lines can be very long. Use strdup instead. If allocation fails, treat the error exactly like a memory allocation issue in pam_modutil functions. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: use _pam_assemble_lineTobias Stoeckmann2024-01-051-100/+14
| | | | | | | When pam_env is compiled without libeconf support enabled, this removes fgets limitations and allows arbitrarily long lines. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: skip _expand_arg if possibleTobias Stoeckmann2024-01-051-0/+7
| | | | | | | If no special characters exist, simply skip _expand_arg to avoid memory allocations and string copying. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: extend test for escaped newlinesTobias Stoeckmann2024-01-051-1/+3
| | | | | | | | This covers the _assemble_line functionality, which slightly differs from _pam_assemble_line in libpam, i.e. does not replace the backslash with a blank. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: allow very long variable expansionsTobias Stoeckmann2024-01-052-40/+123
| | | | | | | | Variable expansion can exceed the maximum line length allowed in an environment configuration file. Since PAM environment variables already support arbitrary lengths, allow them in pam_env as well. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_namespace: fix typo in manual pageTobias Stoeckmann2024-01-051-1/+1
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: fix typos in manual pageTobias Stoeckmann2024-01-051-3/+3
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* treewide: fix typos in commentsTobias Stoeckmann2024-01-054-5/+5
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix/passverify: always run the helper to obtain shadow password file ↵Dmitry V. Levin2024-01-041-10/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | entries Initially, when pam_unix.so verified the password, it used to try to obtain the shadow password file entry for the given user by invoking getspnam(3), and only when that didn't work and the effective uid was nonzero, pam_unix.so used to invoke the helper as a fallback. When SELinux support was introduced by commit 67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended also for the case when SELinux was enabled. Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the fallback conditions for the case when pam_modutil_getspnam() failed with EACCES. Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is invoked as a fallback when pam_modutil_getspnam() fails for any reason. The ultimate solution for the case when pam_unix.so does not have permissions to obtain the shadow password file entry is to stop trying to use pam_modutil_getspnam() and to invoke the helper instead. Here are two recent examples. https://github.com/linux-pam/linux-pam/pull/484 describes a system configuration where libnss_systemd is enabled along with libnss_files in the shadow entry of nsswitch.conf, so when libnss_files is unable to obtain the shadow password file entry for the root user, e.g. when SELinux is enabled, NSS falls back to libnss_systemd which returns a synthesized shadow password file entry for the root user, which in turn locks the root user out. https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes essentially the same problem in a similar system configuration. This commit is the final step in the direction of addressing the issue: for password verification pam_unix.so now invokes the helper instead of making the pam_modutil_getspnam() call. * modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]: Always return PAM_UNIX_RUN_HELPER instead of trying to obtain the shadow password file entry. Complements: https://github.com/linux-pam/linux-pam/pull/386 Resolves: https://github.com/linux-pam/linux-pam/pull/484 Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92
* pam_timestamp: correct failure conditionChristian Göttsche2024-01-041-1/+1
| | | | | | | | Bail out on NULL pointer, not otherwise. Reported by cppcheck. Fixes: 8a3f0810 ("Y2038: use logind instead of utmp")
* pam_filter: drop invalid tty hackChristian Göttsche2024-01-041-5/+0
| | | | | | | | | The open(3) flag O_NOCTTY does not detach the calling process from the opened file descriptor, like TIOCNOTTY, see tty(4), does. Drop the invalid hack to avoid the file descriptor being leaked. Reported by cppcheck.
* pam_timestamp: fix condition orderChristian Göttsche2024-01-041-2/+2
| | | | | | | Check the array index first before dereferencing the array. Also convert the index type to size_t to avoid casting. Reported by cppcheck.
* pam_listfile: use getlineTobias Stoeckmann2024-01-031-3/+4
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: use getlineTobias Stoeckmann2024-01-032-4/+8
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_xauth: use getlineTobias Stoeckmann2024-01-031-2/+5
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_faillock: use getlineTobias Stoeckmann2024-01-031-3/+5
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_access: use getlineTobias Stoeckmann2024-01-031-7/+12
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_exec: use getlineTobias Stoeckmann2024-01-031-2/+4
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_limits: use getlineTobias Stoeckmann2024-01-031-8/+16
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_sepermit: use getlineTobias Stoeckmann2024-01-031-4/+10
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_securetty: use getlineTobias Stoeckmann2024-01-031-9/+24
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: reduce variable visibilityTobias Stoeckmann2024-01-031-3/+7
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: calculate user length only if neededTobias Stoeckmann2024-01-031-3/+4
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: use getline in _unix_getpwnamTobias Stoeckmann2024-01-031-12/+18
| | | | | | Use getline instead of fgets to allow arbitrarily long lines. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: unify error handlingTobias Stoeckmann2024-01-031-15/+14
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: use calloc instead of malloc/memsetTobias Stoeckmann2024-01-031-2/+1
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: use size_t instead of int for sizesTobias Stoeckmann2024-01-031-5/+5
| | | | | | | Also rename buflen to retlen, since it is not associated with the variable buf, but ret. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_unix: avoid reading uninitialized variableTobias Stoeckmann2024-01-031-10/+8
| | | | | | | | | | | | | | | | | | | | | The function _unix_comesfromsource calls _unix_getpwnam internally. When changing the authentication token, it is first called to read local passwd file and optionally contacting NIS. If an entry is found, _unix_getpwnam is called, this time definitely reading passwd file and contacting NIS (if support exists) and parsing the entry. This is meant to check if the entry is not just available but also valid. Since the return value of _unix_getpwnam is not checked and the supplied pointer is only set in case of success, the check for a NULl pointer afterwards can lead to undefined behavior. It is easier to call _unix_getpwnam directly, check its return value and then check if the entry could be parsed. This in turn reduces the amount of /etc/passwd accesses (and fixes a theoretical TOCTOU race). Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_namespace: validate amount of uids in configTobias Stoeckmann2024-01-031-1/+6
| | | | | | | | | | | | | If more than INT_MAX uids are found in a configuration line, the variable `count` would trigger a signed integer overflow. If more than UINT_MAX uids are found in a configuration line, then the `num_uids` counter is invalid, which could eventually lead to out of boundary accesses. Also make sure that size multiplication for malloc does not overflow. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_namespace: document that the namespace.init script runs as rootMatthias Gerstner2024-01-032-2/+8
|
* pam_namespace: document instance_prefix field better wrt final elementMatthias Gerstner2024-01-031-6/+7
|
* pam_namespace: close unnecessary file descriptors before exec()Matthias Gerstner2024-01-031-0/+11
| | | | | | | | | | | Currently the `rm` subprocess and the namespace init script inherit a random set of open file descriptors from the process running PAM. Depending on the actual PAM stack configuration these can even be security sensitive files. In any case it is unclean to inherit unexpected open file descriptors to child processes like this. To address this close all file descriptors except stdio before executing a new program.
* pam_namespace: cleanup_tmpdirs(): use proper error messageMatthias Gerstner2024-01-031-1/+1
|
* pam_namespace: fix double-free on parse error in namespace.confMatthias Gerstner2024-01-031-1/+1
| | | | | | | | | If a line in namespace.conf only consists of one field then the error handling logic in process_line() ends up in a double-free, resulting in a process abort in libc. It looks like instead of NULLing the `dir` variable, the `instance_prefix` is NULLed, without purpose. Fix this.
* pam_exec: allow expose_authtok for password PAM_TYPEAnton Gubarkov2024-01-022-3/+3
| | | | | | | | | Before this change, pam_exec allowed expose_authtok option to be specified for "auth" PAM_TYPE only. * modules/pam_exec/pam_exec.c (call_exec): Allow expose_authtok to be specified for "password" PAM_TYPE. * modules/pam_exec/pam_exec.8.xml: Document it.
* pam_listfile: drop string duplicationTobias Stoeckmann2024-01-021-26/+4
| | | | | | | The ifname variable is only assigned, but the string content itself is never modified. Drop the strdup call to simplify the code. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_listfile: do not truncate argumentsTobias Stoeckmann2024-01-021-40/+31
| | | | | | Allow arbitrary lengths of arguments coming from pam configuration file. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_listfile: fix typo in commentTobias Stoeckmann2024-01-021-1/+1
| | | | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_listfile: fix formattingTobias Stoeckmann2024-01-021-13/+14
| | | | | | | The formatting made the code look like there is an "else"-block followed by an "else if"-block. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_faillock: do not truncate argumentsTobias Stoeckmann2024-01-021-7/+11
| | | | | | | The FAILLOCK_CONF_MAX_LINELINE limitation is not true for arguments which derive from pam configuration file. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_wheel: do not truncate groupTobias Stoeckmann2024-01-021-7/+7
| | | | | | | If a pam configuration file contains a very long group name, do not silently truncate it. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: use strndupTobias Stoeckmann2024-01-021-12/+8
| | | | | | The strndup call is easier to review than malloc + strncpy. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
* pam_env: reduce variable visibilityTobias Stoeckmann2024-01-021-9/+9
| | | | | | This will simplify further changes. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-14 19:56:06 +0000