37 lines
1.4 KiB
Diff
37 lines
1.4 KiB
Diff
diff --color -ruN pam_u2f-1.3.0/util.c pam_u2f-1.3.0-patched/util.c
|
|
--- pam_u2f-1.3.0/util.c 2025-01-21 15:23:47.543942428 +0100
|
|
+++ pam_u2f-1.3.0-patched/util.c 2025-01-21 15:30:44.396946756 +0100
|
|
@@ -6,6 +6,7 @@
|
|
#include <fido/es256.h>
|
|
#include <fido/rs256.h>
|
|
#include <fido/eddsa.h>
|
|
+#include <syslog.h>
|
|
|
|
#include <openssl/ec.h>
|
|
#include <openssl/obj_mac.h>
|
|
@@ -709,8 +710,22 @@
|
|
opwfile_size = st.st_size;
|
|
|
|
if (st.st_uid != 0 && st.st_uid != geteuid()) {
|
|
- debug_dbg(cfg, "Authentication file has insecure ownership");
|
|
- goto err;
|
|
+ /* XXX: attempt to prevent two messages to syslog */
|
|
+ if (cfg->debug_file) {
|
|
+ debug_dbg(cfg,
|
|
+ "Permissions %04o for '%s' are too open. Please change the "
|
|
+ "file mode bits to 0644 or more restrictive. This may become "
|
|
+ "an error in the future!",
|
|
+ (unsigned int) st.st_mode & 0777, cfg->auth_file);
|
|
+ }
|
|
+#ifndef WITH_FUZZING
|
|
+ /* XXX: force a message to syslog, regardless of the debug level */
|
|
+ syslog(LOG_AUTHPRIV | LOG_WARNING,
|
|
+ "warning(pam_u2f): Permissions %04o for '%s' are too open. Please "
|
|
+ "change the file mode bits to 0644 or more restrictive. This may "
|
|
+ "become an error in the future!",
|
|
+ (unsigned int) st.st_mode & 0777, cfg->auth_file);
|
|
+#endif
|
|
}
|
|
|
|
opwfile = fdopen(fd, "r");
|