From bcba17939e1b1a568cd4a764534cde74d37078cc Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Mon, 30 Jan 2023 17:56:58 +0100 Subject: modules: make use of secure memory erasure Use empty initialization of structs to minimize the memset() usage, to reduce the amount of calls which are not sensitive. Non trivial changes: - pam_env: * erase environment variables where possible - pam_exec: * erase responce on error * erase auth token - pam_pwhistory: * erase buffers containing old passwords - pam_selinux: skip overwriting data structure consisting of only pointers to insensitive data, which also gets free'd afterwards (so it currently does not protect against double-free or use-after-free on the member pointers) - pam_unix: erase cipher data in more places - pam_userdb: erase password hashes --- modules/pam_unix/support.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'modules/pam_unix/support.c') diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 27ca7127..23a30498 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -805,7 +805,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name } cleanup: - memset(pw, 0, sizeof(pw)); /* clear memory of the password */ + pam_overwrite_array(pw); /* clear memory of the password */ if (data_name) _pam_delete(data_name); if (salt) -- cgit v1.2.3 From 4ce09656536911d9048519b8ee18e53353c9cae8 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Thu, 6 Apr 2023 14:44:07 +0200 Subject: configure: Disable NIS if header files are missing configure.ac: Disable NIS if RPC or YP header files are missing modules/pam_unix/support.c: Use HAVE_NIS to check for header file presence modules/pam_unix/pam_unix_passwd.c: Use HAVE_NIS, too --- configure.ac | 10 ++++++++-- modules/pam_unix/pam_unix_passwd.c | 10 ++-------- modules/pam_unix/support.c | 2 +- 3 files changed, 11 insertions(+), 11 deletions(-) (limited to 'modules/pam_unix/support.c') diff --git a/configure.ac b/configure.ac index 8844eb35..f50484d9 100644 --- a/configure.ac +++ b/configure.ac @@ -459,7 +459,6 @@ AC_SUBST(LIBDB) AC_ARG_ENABLE([nis], AS_HELP_STRING([--disable-nis], [Disable building NIS/YP support in pam_unix])) -AM_CONDITIONAL([HAVE_NIS], [test "x$enable_nis" != "xno"]) AS_IF([test "x$enable_nis" != "xno"], [ old_CFLAGS=$CFLAGS @@ -482,7 +481,9 @@ AS_IF([test "x$enable_nis" != "xno"], [ AC_CHECK_FUNCS([yp_get_default_domain yperr_string yp_master yp_bind yp_match yp_unbind]) AC_CHECK_FUNCS([getrpcport rpcb_getaddr]) - AC_CHECK_HEADERS([rpc/rpc.h rpcsvc/ypclnt.h rpcsvc/yp_prot.h]) + AC_CHECK_HEADER([rpc/rpc.h], , [enable_nis=no]) + AC_CHECK_HEADER([rpcsvc/ypclnt.h], , [enable_nis=no]) + AC_CHECK_HEADER([rpcsvc/yp_prot.h], , [enable_nis=no]) AC_CHECK_DECLS([getrpcport], , , [ #if HAVE_RPC_RPC_H # include @@ -496,6 +497,11 @@ AS_IF([test "x$enable_nis" != "xno"], [ AC_SUBST([NIS_CFLAGS]) AC_SUBST([NIS_LIBS]) +AM_CONDITIONAL([HAVE_NIS], [test "x$enable_nis" != "xno"]) +if test "x$enable_nis" != "xno" ; then + AC_DEFINE([HAVE_NIS], 1, + [Defines that NIS should be used]) +fi AC_ARG_ENABLE([usergroups], AS_HELP_STRING([--enable-usergroups], [sets the usergroups option default to enabled]), diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index d5f5e51f..c3417413 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -75,14 +75,8 @@ #ifdef HAVE_NIS # include - -# ifdef HAVE_RPCSVC_YP_PROT_H -# include -# endif - -# ifdef HAVE_RPCSVC_YPCLNT_H -# include -# endif +# include +# include # include "yppasswd.h" diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 23a30498..043273d2 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -19,7 +19,7 @@ #include #include #include -#ifdef HAVE_RPCSVC_YPCLNT_H +#ifdef HAVE_NIS #include #endif -- cgit v1.2.3