From 9f19e7da7a014e022cdbba06accca171adef27e0 Mon Sep 17 00:00:00 2001
From: Christian Göttsche <cgzones@googlemail.com>
Date: Thu, 4 Jan 2024 18:23:59 +0100
Subject: pam_unix: set close-on-exec

Since the module operates on sensitive files set the close-on-exec flag,
to avoid file descriptor leaks if there is ever any sibling thread.

The fopen(3) mode "e" is supported in glibc since version 2.7 (released
in 2007), and ignored prior, see:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=65d834b0add966dbbdb5ed1e916c60b2b2d87f10
---
 modules/pam_unix/lckpwdf.-c        | 17 +++--------------
 modules/pam_unix/pam_unix_passwd.c |  2 +-
 modules/pam_unix/passverify.c      | 16 ++++++++--------
 modules/pam_unix/support.c         |  2 +-
 4 files changed, 13 insertions(+), 24 deletions(-)

(limited to 'modules/pam_unix')

diff --git a/modules/pam_unix/lckpwdf.-c b/modules/pam_unix/lckpwdf.-c
index c3e63155..4d0f0ad3 100644
--- a/modules/pam_unix/lckpwdf.-c
+++ b/modules/pam_unix/lckpwdf.-c
@@ -35,15 +35,6 @@
 
 static int lockfd = -1;
 
-static int set_close_on_exec(int fd)
-{
-	int flags = fcntl(fd, F_GETFD, 0);
-	if (flags == -1)
-		return -1;
-	flags |= FD_CLOEXEC;
-	return fcntl(fd, F_SETFD, flags);
-}
-
 static int do_lock(int fd)
 {
 	struct flock fl;
@@ -70,7 +61,7 @@ static int lckpwdf(void)
 #ifdef WITH_SELINUX
 	if(is_selinux_enabled()>0)
 	{
-		lockfd = open(LOCKFILE, O_WRONLY);
+		lockfd = open(LOCKFILE, O_WRONLY | O_CLOEXEC);
 		if(lockfd == -1 && errno == ENOENT)
 		{
 			char *create_context_raw;
@@ -82,18 +73,16 @@ static int lckpwdf(void)
 			freecon(create_context_raw);
 			if(rc)
 				return -1;
-			lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600);
+			lockfd = open(LOCKFILE, O_CREAT | O_WRONLY | O_CLOEXEC, 0600);
 			if(setfscreatecon_raw(NULL))
 				return -1;
 		}
 	}
 	else
 #endif
-	lockfd = open(LOCKFILE, O_CREAT | O_WRONLY, 0600);
+	lockfd = open(LOCKFILE, O_CREAT | O_WRONLY | O_CLOEXEC, 0600);
 	if (lockfd == -1)
 		return -1;
-	if (set_close_on_exec(lockfd) == -1)
-		goto cleanup_fd;
 
 	memset(&act, 0, sizeof act);
 	act.sa_handler = alarm_catch;
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index fe3f566a..3a223949 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -346,7 +346,7 @@ static int check_old_password(const char *forwho, const char *newpass)
 	size_t n = 0;
 	size_t len = strlen(forwho);
 
-	opwfile = fopen(OLD_PASSWORDS_FILE, "r");
+	opwfile = fopen(OLD_PASSWORDS_FILE, "re");
 	if (opwfile == NULL)
 		return PAM_ABORT;
 
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 60d9ceca..303929a4 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -400,7 +400,7 @@ crypt_make_salt(char *where, int length)
 	int fd;
 	int rv;
 
-	if ((rv = fd = open(PAM_PATH_RANDOMDEV, O_RDONLY)) != -1) {
+	if ((rv = fd = open(PAM_PATH_RANDOMDEV, O_RDONLY | O_CLOEXEC)) != -1) {
 		while ((rv = read(fd, where, length)) != length && errno == EINTR);
 		close (fd);
 	}
@@ -557,7 +557,7 @@ unix_selinux_confined(void)
     }
 
     /* let's try opening shadow read only */
-    if ((fd=open("/etc/shadow", O_RDONLY)) != -1) {
+    if ((fd=open("/etc/shadow", O_RDONLY | O_CLOEXEC)) != -1) {
         close(fd);
         confined = 0;
         return confined;
@@ -695,14 +695,14 @@ save_old_password(pam_handle_t *pamh, const char *forwho, const char *oldpass,
       freecon(passwd_context_raw);
     }
 #endif
-    pwfile = fopen(OPW_TMPFILE, "w");
+    pwfile = fopen(OPW_TMPFILE, "we");
     umask(oldmask);
     if (pwfile == NULL) {
       err = 1;
       goto done;
     }
 
-    opwfile = fopen(OLD_PASSWORDS_FILE, "r");
+    opwfile = fopen(OLD_PASSWORDS_FILE, "re");
     if (opwfile == NULL) {
 	fclose(pwfile);
       err = 1;
@@ -858,14 +858,14 @@ PAMH_ARG_DECL(int unix_update_passwd,
       freecon(passwd_context_raw);
     }
 #endif
-    pwfile = fopen(PW_TMPFILE, "w");
+    pwfile = fopen(PW_TMPFILE, "we");
     umask(oldmask);
     if (pwfile == NULL) {
       err = 1;
       goto done;
     }
 
-    opwfile = fopen("/etc/passwd", "r");
+    opwfile = fopen("/etc/passwd", "re");
     if (opwfile == NULL) {
 	fclose(pwfile);
 	err = 1;
@@ -983,14 +983,14 @@ PAMH_ARG_DECL(int unix_update_shadow,
       freecon(shadow_context_raw);
     }
 #endif
-    pwfile = fopen(SH_TMPFILE, "w");
+    pwfile = fopen(SH_TMPFILE, "we");
     umask(oldmask);
     if (pwfile == NULL) {
 	err = 1;
 	goto done;
     }
 
-    opwfile = fopen("/etc/shadow", "r");
+    opwfile = fopen("/etc/shadow", "re");
     if (opwfile == NULL) {
 	fclose(pwfile);
 	err = 1;
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 546ef820..d391973f 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -352,7 +352,7 @@ int _unix_getpwnam(pam_handle_t *pamh, const char *name,
 	if (!matched && files && strchr(name, ':') == NULL) {
 		FILE *passwd;
 
-		passwd = fopen("/etc/passwd", "r");
+		passwd = fopen("/etc/passwd", "re");
 		if (passwd != NULL) {
 			size_t n = 0, userlen;
 			ssize_t r;
-- 
cgit v1.2.3