- pam_access: rework resolving of tokens as hostname

- separate resolving of IP addresses from hostnames. Don't resolve TTYs or
    display variables as hostname.
  - Add "nodns" option to disallow resolving of tokens as hostname.
  - [pam_access-rework-resolving-of-tokens-as-hostname.patch, bsc#1233078, CVE-2024-10963]

OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=305
This commit is contained in:
Thorsten Kukuk 2024-12-06 09:32:46 +00:00 committed by Git OBS Bridge
commit a01288951c
29 changed files with 3900 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

BIN
Linux-PAM-1.6.1.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJmFWt/AAoJEKgEH6g54W42NCwP/iWl8igdScTreVF6zV79Dqu1
sl+ZjBr/dL+DOTcotsRnoAZUOy4ug3iktMZr1t0BMpWUorNmUofH4SZuhsX0CgRq
47t5mVqCakwn4JLq8J9cLOciMno6ips5ZT4RbMgzRYd1WcBurCAxQSNLP3aQGgub
RFObkqw5814ksz9Ge6QVhJ4l9P0wUoKfcpkzHj2Vq+cy0EzlBtnBGCHrMDgrz5aT
mXqGVvWTPO+lR2S+7wOLUtPoRv0uvN6h97ZszaoGoJ6wa6yYwOYz12/AiIsVQhet
cnr29ymuwPDqlrYGD1Hb0+ZUQExjVDQY90hdJ/ZntUlK7CY/2SotpDGB9kR8dTYJ
fpIVmR6GEZ+xSjBqa7RaiL8ieZCgT3TIvsMqteiFkqI+2lhlSGHX3g3oNSd3sbqd
PLok6W4L+xWDp89aMyYDDs/ISjBt5sSNK4NOOTZIMK4oeScGJJvrDL3S5DOSk1ku
o3l9N62WStD7fk0LYnyUGZORg/ccK6Yy2fV22zBMm/76PoyA1yHfFxCW+HwwmcqR
0riaFjA8cesZ3Dj79q24U3FRVdW5fTF9gS/5mK/Yj51KMMzTkUmbjksEC/AEBKzB
9laXxPdIeKUwNlGs7Heo/NE87u4OZfyihwpzLaTcOzbpN3zDyH6aH5poDs1FSaQ2
UoUkHsbCWJU/ksn/9BIQ
=Dbz2
-----END PGP SIGNATURE-----

BIN
Linux-PAM-1.7.0.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIcBAABCgAGBQJnGiIVAAoJEKgEH6g54W42kSsP/jsmwl1WMrtPlze2jtRZ1ZVD
HvJPJMYNCeXKpXxSCL4rt97TeZKp+8WbrmrbG+zG8okIFDKl4rHuU9PpJocIpwDd
+zAD1GQOqeUz0AyPPXBmsMshmQ3z+l8W9ykR1WCFrceXRAswSgNEDEavluVP9EHG
epFA/+t1BR8G3GV6LH9LhRkTOOsE8O30hTEHZp1vCrR+xKJo41ZTq+VVvU8KFUrC
lPGH9pX1ioe5rlLfvKNJthUKVoaNyDXED2la9sJPdTmc5hDBGLIo5hnBpvOn8Zfp
cfMoB3lFBy6MHF7tb4ZfDxgG44D/xIwXd7Zddc6HenJl/SUjucXFq1OXHcK+MhqO
63zFAci8k7ywwPPoGBpHMYZ2czZx3jo++It80b2CBMYKzi9YMVmaq/toEtMyI+Og
W3gh4EfHkN98GQz4XC9yO4fjIno1J/Bwni6HNXBaumbg6xIPRwvxcOCdXZBUjKrx
mDljxQetZJGzURidA+2cdJsAu1o0PDtzPguabno4aW2GMV9tUF3Q3aF+NClg18uZ
+eXlGd/fsrLOIGfhYOpbFyIEE5h/dZq3vIj/NOVfKCsU0yajs6d3Zj2Y+2sxs7ob
z9begFsadFZ6atqA77FL7i4781U2bTtqp8qsj9UXb+gJabqnQZ2k+qBXg4XtAWrn
iJaal6uBXWOJG9BG5l8G
=CVaC
-----END PGP SIGNATURE-----

3
_multibuild Normal file
View File

@ -0,0 +1,3 @@
<multibuild>
<flavor>full</flavor>
</multibuild>

7
baselibs.conf Normal file
View File

@ -0,0 +1,7 @@
pam
requires "(systemd-<targettype> if systemd)"
obsoletes "pam_unix-<targettype>"
obsoletes "pam_unix-nis-<targettype>"
pam-extra
pam-devel
pam-userdb

9
common-account.pamd Normal file
View File

@ -0,0 +1,9 @@
#
# /etc/pam.d/common-account - account settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the account modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired.
#
account required pam_unix.so try_first_pass

11
common-auth.pamd Normal file
View File

@ -0,0 +1,11 @@
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth required pam_env.so
auth required pam_unix.so try_first_pass

11
common-password.pamd Normal file
View File

@ -0,0 +1,11 @@
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords.
#
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
password required pam_unix.so nullok

View File

@ -0,0 +1,13 @@
#
# /etc/pam.d/common-session-nonlogin - session-related modules common
# to services not doing a real login
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive), but not if they don't create a new login session
# (e.g. like cron, chfn, chsh, ...)
#
session required pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_env.so

12
common-session.pamd Normal file
View File

@ -0,0 +1,12 @@
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive).
#
session optional pam_systemd.so
session required pam_unix.so try_first_pass
session optional pam_umask.so
session optional pam_env.so

8
macros.pam Normal file
View File

@ -0,0 +1,8 @@
%_pam_libdir %{_libdir}
%_pam_moduledir %{_libdir}/security
%_pam_secconfdir %{_sysconfdir}/security
%_pam_secdistconfdir %{_distconfdir}/security
%_pam_confdir %{_sysconfdir}/pam.d
%_pam_vendordir %{_prefix}/lib/pam.d
# legacy, to be retired
%_pamdir %{_pam_moduledir}

10
other.pamd Normal file
View File

@ -0,0 +1,10 @@
#%PAM-1.0
auth required pam_warn.so
auth required pam_deny.so
account required pam_warn.so
account required pam_deny.so
password required pam_warn.so
password required pam_deny.so
session required pam_warn.so
session required pam_deny.so

View File

@ -0,0 +1,36 @@
From 8ae228fa76ff9ef1d8d6b2199582d9206f1830c6 Mon Sep 17 00:00:00 2001
From: Stanislav Brabec <sbrabec@suse.cz>
Date: Mon, 22 Jul 2024 23:18:16 +0200
Subject: [PATCH] libpam_misc: Use ECHOCTL in the terminal input
Use the canonical terminal mode (line mode) and set ECHOCTL to prevent
cursor escape from the login prompt using arrows or escape sequences.
ICANON is the default in most cases anyway. ECHOCTL is default on tty, but
for example not on pty, allowing cursor to escape.
Stanislav Brabec <sbrabec@suse.com>
---
libpam_misc/misc_conv.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
index 7410e929..6b839b48 100644
--- a/libpam_misc/misc_conv.c
+++ b/libpam_misc/misc_conv.c
@@ -145,9 +145,10 @@ static int read_string(int echo, const char *prompt, char **retstr)
return -1;
}
memcpy(&term_tmp, &term_before, sizeof(term_tmp));
- if (!echo) {
+ if (echo)
+ term_tmp.c_lflag |= ICANON | ECHOCTL;
+ else
term_tmp.c_lflag &= ~(ECHO);
- }
have_term = 1;
/*
--
2.45.2

11
pam-limit-nproc.patch Normal file
View File

@ -0,0 +1,11 @@
Index: Linux-PAM-1.3.1/modules/pam_limits/limits.conf
===================================================================
--- Linux-PAM-1.3.1.orig/modules/pam_limits/limits.conf
+++ Linux-PAM-1.3.1/modules/pam_limits/limits.conf
@@ -47,4 +47,6 @@
#ftp hard nproc 0
#@student - maxlogins 4
+# No limits for nproc, use systemd configuration instead
+
# End of file

46
pam-login_defs-check.sh Normal file
View File

@ -0,0 +1,46 @@
#!/bin/bash
# Extract list of variables supported by su/runuser.
#
# If you edit this file, you will probably need to edit
# shadow-login_defs-check.sh from shadow sources in a similar way.
set -o errexit
echo -n "Checking login.defs variables in pam... " >&2
grep -rh LOGIN_DEFS . |
sed -n 's/CRYPTO_KEY/\"HMAC_CRYPTO_ALGO\"/g;s/^.*search_key *([A-Za-z_]*, *[A-Z_]*LOGIN_DEFS, *"\([A-Z0-9_]*\)").*$/\1/p' |
LC_ALL=C sort -u >pam-login_defs-vars.lst
if test $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//') != 8521c47f55dff97fac980d52395b763590cd3f07 ; then
echo "does not match!" >&2
echo "Checksum is: $(sha1sum pam-login_defs-vars.lst | sed 's/ .*$//')" >&2
cat >&2 <<EOF
You have to perform following steps:
Check whether the error is false positive (script failed to extract
variables) or true positive (variable list changed).
If it is false positive:
- Fix this script.
- The same fix is needed in shadow package in shadow-login_defs-check.sh.
If it is true positive:
- Check-out shadow package and call shadow-login_defs-check.sh.
- Compare its output shadow-login_defs-check-pam.lst with
pam-login_defs-vars.lst in the pam build directory.
- Update shadow encryption_method_nis.patch, if needed.
- If encryption_method_nis.patch was updated, update
login_defs-support-for-pam symbol version in both shadow and
pam spec files accordingly.
- Update checksum in this script.
EOF
exit 1
else
echo "OK" >&2
fi

2390
pam.changes Normal file

File diff suppressed because it is too large Load Diff

535
pam.spec Normal file
View File

@ -0,0 +1,535 @@
#
# spec file for package pam
#
# Copyright (c) 2020 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550
# Enable livepatching support for SLE15-SP4 onwards. It requires
# compiler support introduced there.
%define livepatchable 1
# Set variables for livepatching.
%define _other %{_topdir}/OTHER
%define tar_basename pam-livepatch-%{version}-%{release}
%define tar_package_name %{tar_basename}.%{_arch}.tar.xz
%define clones_dest_dir %{tar_basename}/%{_arch}
%else
# Unsupported operating system.
%define livepatchable 0
%endif
%ifnarch x86_64
# Unsupported architectures must have livepatch disabled.
%define livepatchable 0
%endif
%bcond_without selinux
%define flavor @BUILD_FLAVOR@%{nil}
# List of config files for migration to /usr/etc
%define config_files pam.d/other pam.d/common-account pam.d/common-auth pam.d/common-password pam.d/common-session \\\
security/faillock.conf security/group.conf security/limits.conf security/pam_env.conf security/access.conf \\\
security/namespace.conf security/namespace.init security/sepermit.conf
%if "%{flavor}" == "full"
%define build_main 0
%define build_doc 1
%define build_extra 1
%define build_userdb 1
%define name_suffix -%{flavor}-src
%else
%define build_main 1
%define build_doc 0
%define build_extra 0
%define build_userdb 0
%define name_suffix %{nil}
%endif
#
%define libpam_so_version 0.85.1
%define libpam_misc_so_version 0.82.1
%define libpamc_so_version 0.82.1
%if ! %{defined _distconfdir}
%define _distconfdir %{_sysconfdir}
%endif
#
%{load:%{_sourcedir}/macros.pam}
#
Name: pam%{name_suffix}
#
Version: 1.7.0
Release: 0
Summary: A Security Tool that Provides Authentication for Applications
License: GPL-2.0-or-later OR BSD-3-Clause
Group: System/Libraries
URL: https://github.com/linux-pam/linux-pam
Source: Linux-PAM-%{version}.tar.xz
Source1: Linux-PAM-%{version}.tar.xz.asc
Source2: macros.pam
Source3: other.pamd
Source4: common-auth.pamd
Source5: common-account.pamd
Source6: common-password.pamd
Source7: common-session.pamd
Source9: baselibs.conf
Source10: unix2_chkpwd.c
Source11: unix2_chkpwd.8
Source12: pam-login_defs-check.sh
Source13: pam.tmpfiles
Source20: common-session-nonlogin.pamd
Source21: postlogin-auth.pamd
Source22: postlogin-account.pamd
Source23: postlogin-password.pamd
Source24: postlogin-session.pamd
Patch1: pam-limit-nproc.patch
# PATCH-FIX-UPSTREAM: CVE-2024-10963
Patch2: pam_access-rework-resolving-of-tokens-as-hostname.patch
BuildRequires: audit-devel
BuildRequires: bison
BuildRequires: flex
BuildRequires: meson >= 0.62.0
BuildRequires: xz
Requires(post): permissions
# All login.defs variables require support from shadow side.
# Upgrade this symbol version only if new variables appear!
# Verify by shadow-login_defs-check.sh from shadow source package.
Recommends: login_defs-support-for-pam >= 1.5.2
BuildRequires: pkgconfig(libeconf)
%if %{with selinux}
BuildRequires: libselinux-devel
%endif
Obsoletes: pam_unix
Obsoletes: pam_unix-nis
Recommends: pam-manpages
Requires(pre): group(shadow)
Requires(pre): user(root)
%description
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
%if %{build_userdb}
%package -n pam-userdb
Summary: PAM module to authenticate against a separate database
Group: System/Libraries
Provides: pam-extra:%{_pam_moduledir}/pam_userdb.so
BuildRequires: libdb-4_8-devel
BuildRequires: pam-devel
%description -n pam-userdb
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
This package contains pam_userdb which is used to verify a
username/password pair against values stored in a Berkeley DB database.
%endif
%if %{build_extra}
%package -n pam-extra
Summary: PAM module with extended dependencies
Group: System/Libraries
BuildRequires: pkgconfig(libsystemd) >= 254
BuildRequires: pam-devel
Provides: pam:%{_sbindir}/pam_timestamp_check
Provides: pam:%{_pam_moduledir}/pam_limits.so
%description -n pam-extra
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
This package contains extra modules eg pam_issue and pam_timestamp which
can have extended dependencies.
%endif
%if %{build_doc}
%package -n pam-doc
Summary: Documentation for Pluggable Authentication Modules
Group: Documentation/HTML
BuildArch: noarch
%description -n pam-doc
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
This package contains the documentation.
%package -n pam-manpages
Summary: Manualpages for Pluggable Authentication Modules
Group: Documentation/HTML
Provides: pam:/%{_mandir}/man8/PAM.8.gz
BuildArch: noarch
BuildRequires: docbook5-xsl-stylesheets
BuildRequires: elinks
BuildRequires: xmlgraphics-fop
%description -n pam-manpages
PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without
having to recompile programs that do authentication.
This package contains the manual pages.
%endif
%package devel
Summary: Include Files and Libraries for PAM Development
Group: Development/Libraries/C and C++
Requires: glibc-devel
Requires: pam = %{version}
%description devel
PAM (Pluggable Authentication Modules) is a system security tool which
allows system administrators to set authentication policy without
having to recompile programs which do authentication.
This package contains header files and static libraries used for
building both PAM-aware applications and modules for use with PAM.
%prep
%autosetup -p1 -n Linux-PAM-%{version}
cp -a %{SOURCE12} .
%build
bash ./pam-login_defs-check.sh
%if %{livepatchable}
CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
%endif
%meson -Dvendordir=%{_distconfdir} \
-Ddocdir=%{_docdir}/pam \
-Dhtmldir=%{_docdir}/pam/html \
-Dpdfdir=%{_docdir}/pam/pdf \
-Dsecuredir=%{_pam_moduledir} \
%if "%{flavor}" != "full"
-Dlogind=disabled \
-Dpam_userdb=disabled \
-Ddocs=disabled \
%endif
-Dexamples=false \
-Dnis=disabled
%meson_build
%if %{livepatchable}
# Ipa-clones are files generated by gcc which logs changes made across
# functions, and we need to know such changes to build livepatches
# correctly. These files are intended to be used by the livepatch
# developers and may be retrieved by using `osc getbinaries`.
#
# Create list of ipa-clones.
find . -name "*.ipa-clones" ! -empty | sed 's/^\.\///g' | sort > ipa-clones.list
# Create ipa-clones destination folder and move clones there.
mkdir -p ipa-clones/%{clones_dest_dir}
while read f; do
_dest=ipa-clones/%{clones_dest_dir}/$f
mkdir -p ${_dest%/*}
cp $f $_dest
done < ipa-clones.list
# Create tar package with the clone files.
tar cfJ %{tar_package_name} -C ipa-clones %{tar_basename}
# Copy tar package to the OTHERS folder
cp %{tar_package_name} %{_other}
%endif # livepatchable
gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/%{_target_platform}/libpam -lpam
%if %{build_main}
%check
%meson_test
%endif
%install
%meson_install
mkdir -p %{buildroot}%{_pam_confdir}
mkdir -p %{buildroot}%{_pam_vendordir}
# install other.pamd and common-*.pamd
install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/other
install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/common-auth
install -m 644 %{SOURCE5} %{buildroot}%{_pam_vendordir}/common-account
install -m 644 %{SOURCE6} %{buildroot}%{_pam_vendordir}/common-password
install -m 644 %{SOURCE7} %{buildroot}%{_pam_vendordir}/common-session
install -m 644 %{SOURCE20} %{buildroot}%{_pam_vendordir}/common-session-nonlogin
install -m 644 %{SOURCE21} %{buildroot}%{_pam_vendordir}/postlogin-auth
install -m 644 %{SOURCE22} %{buildroot}%{_pam_vendordir}/postlogin-account
install -m 644 %{SOURCE23} %{buildroot}%{_pam_vendordir}/postlogin-password
install -m 644 %{SOURCE24} %{buildroot}%{_pam_vendordir}/postlogin-session
#
# Install READMEs of PAM modules
#
DOC=%{buildroot}%{_defaultdocdir}/pam
%if "%{flavor}" == "full"
mkdir -p $DOC/modules
cp -fpv %{_vpath_builddir}/modules/pam_*/pam_*.txt "$DOC/modules/"
%endif
# Install unix2_chkpwd
install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir}
# rpm macros
install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
# /run/motd.d
install -Dm0644 %{SOURCE13} %{buildroot}%{_tmpfilesdir}/pam.conf
mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d}
# Remove manual pages for main package
%if !%{build_doc}
rm -rf %{buildroot}%{_mandir}/man?/*
%else
install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
# bsc#1188724
echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
%endif
%if !%{build_main}
rm -rf %{buildroot}{%{_distconfdir}/environment,%{_pam_secdistconfdir}/{a,f,g,n,p,s,t}*}
rm -rf %{buildroot}{%{_sysconfdir},%{_sbindir}/{f*,m*,pam_n*,pw*,u*},%{_pam_secconfdir},%{_pam_confdir},%{_datadir}/locale}
rm -rf %{buildroot}{%{_includedir},%{_libdir}/{libpam*,pkgconfig},%{_pam_vendordir},%{_rpmmacrodir},%{_tmpfilesdir},%{_unitdir}/pam_namespace.service}
rm -rf %{buildroot}%{_pam_moduledir}/pam_{a,b,c,d,e,f,g,h,j,k,la,lis,lo,m,n,o,p,q,r,s,v,w,x,y,z,time.,tt,um,un,usertype}*
%else
# Delete files for extra package
rm -rf %{buildroot}{%{_pam_moduledir}/pam_limits.so,%{_pam_secdistconfdir}/limits.conf,%{_pam_moduledir}/pam_issue.so,%{_pam_moduledir}/pam_timestamp.so,%{_sbindir}/pam_timestamp_check}
# Create filelist with translations
%find_lang Linux-PAM
%endif
%if %{build_main}
%verifyscript
%verify_permissions -e %{_sbindir}/unix_chkpwd
%verify_permissions -e %{_sbindir}/unix2_chkpwd
%post
/sbin/ldconfig
%set_permissions %{_sbindir}/unix_chkpwd
%set_permissions %{_sbindir}/unix2_chkpwd
%tmpfiles_create %{_tmpfilesdir}/pam.conf
%postun -p /sbin/ldconfig
%pre
for i in securetty %{config_files} ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i}.rpmsave.old ||:
done
%posttrans
# Migration to /usr/etc.
for i in securetty %{config_files} ; do
test -f %{_sysconfdir}/${i}.rpmsave && mv -v %{_sysconfdir}/${i}.rpmsave %{_sysconfdir}/${i} ||:
done
%files -f Linux-PAM.lang
%doc NEWS
%license COPYING
%dir %{_pam_confdir}
%dir %{_pam_vendordir}
%dir %{_pam_secconfdir}
%dir %{_pam_secdistconfdir}
%{_pam_vendordir}/other
%{_pam_vendordir}/common-*
%{_pam_vendordir}/postlogin-*
%{_distconfdir}/environment
%{_pam_secdistconfdir}/access.conf
%{_pam_secdistconfdir}/group.conf
%{_pam_secdistconfdir}/faillock.conf
%{_pam_secdistconfdir}/pam_env.conf
%if %{with selinux}
%{_pam_secdistconfdir}/sepermit.conf
%endif
%{_pam_secdistconfdir}/time.conf
%{_pam_secdistconfdir}/namespace.conf
%{_pam_secdistconfdir}/namespace.init
%{_pam_secdistconfdir}/pwhistory.conf
%dir %{_pam_secdistconfdir}/namespace.d
%{_libdir}/libpam.so.0
%{_libdir}/libpam.so.%{libpam_so_version}
%{_libdir}/libpamc.so.0
%{_libdir}/libpamc.so.%{libpamc_so_version}
%{_libdir}/libpam_misc.so.0
%{_libdir}/libpam_misc.so.%{libpam_misc_so_version}
%dir %{_pam_moduledir}
%{_pam_moduledir}/pam_access.so
%{_pam_moduledir}/pam_canonicalize_user.so
%{_pam_moduledir}/pam_debug.so
%{_pam_moduledir}/pam_deny.so
%{_pam_moduledir}/pam_echo.so
%{_pam_moduledir}/pam_env.so
%{_pam_moduledir}/pam_exec.so
%{_pam_moduledir}/pam_faildelay.so
%{_pam_moduledir}/pam_faillock.so
%{_pam_moduledir}/pam_filter.so
%dir %{_pam_moduledir}/pam_filter
%{_pam_moduledir}//pam_filter/upperLOWER
%{_pam_moduledir}/pam_ftp.so
%{_pam_moduledir}/pam_group.so
%{_pam_moduledir}/pam_keyinit.so
%{_pam_moduledir}/pam_listfile.so
%{_pam_moduledir}/pam_localuser.so
%{_pam_moduledir}/pam_loginuid.so
%{_pam_moduledir}/pam_mail.so
%{_pam_moduledir}/pam_mkhomedir.so
%{_pam_moduledir}/pam_motd.so
%{_pam_moduledir}/pam_namespace.so
%{_pam_moduledir}/pam_nologin.so
%{_pam_moduledir}/pam_permit.so
%{_pam_moduledir}/pam_pwhistory.so
%{_pam_moduledir}/pam_rhosts.so
%{_pam_moduledir}/pam_rootok.so
%{_pam_moduledir}/pam_securetty.so
%if %{with selinux}
%{_pam_moduledir}/pam_selinux.so
%{_pam_moduledir}/pam_sepermit.so
%endif
%{_pam_moduledir}/pam_setquota.so
%{_pam_moduledir}/pam_shells.so
%{_pam_moduledir}/pam_stress.so
%{_pam_moduledir}/pam_succeed_if.so
%{_pam_moduledir}/pam_time.so
%{_pam_moduledir}/pam_tty_audit.so
%{_pam_moduledir}/pam_umask.so
%{_pam_moduledir}/pam_unix.so
%{_pam_moduledir}/pam_usertype.so
%{_pam_moduledir}/pam_warn.so
%{_pam_moduledir}/pam_wheel.so
%{_pam_moduledir}/pam_xauth.so
%{_sbindir}/faillock
%{_sbindir}/mkhomedir_helper
%{_sbindir}/pam_namespace_helper
%{_sbindir}/pwhistory_helper
%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd
%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
%attr(0700,root,root) %{_sbindir}/unix_update
%{_unitdir}/pam_namespace.service
%{_tmpfilesdir}/pam.conf
%files devel
%defattr(644,root,root,755)
%dir %{_includedir}/security
%{_includedir}/security/*.h
%{_libdir}/libpam.so
%{_libdir}/libpamc.so
%{_libdir}/libpam_misc.so
%{_rpmmacrodir}/macros.pam
%{_libdir}/pkgconfig/pam*.pc
%endif
%if %{build_userdb}
%files -n pam-userdb
%defattr(-,root,root,755)
%{_pam_moduledir}/pam_userdb.so
%{_mandir}/man8/pam_userdb.8%{?ext_man}
%endif
%if %{build_extra}
%files -n pam-extra
%defattr(-,root,root,755)
%dir %{_pam_secdistconfdir}
%dir %{_pam_secdistconfdir}/limits.d
%{_pam_secdistconfdir}/limits.conf
%{_pam_moduledir}/pam_limits.so
%{_pam_moduledir}/pam_issue.so
%{_pam_moduledir}/pam_timestamp.so
%{_sbindir}/pam_timestamp_check
%endif
%if %{build_doc}
%files -n pam-doc
%defattr(644,root,root,755)
%dir %{_defaultdocdir}/pam
%doc %{_defaultdocdir}/pam/html
%doc %{_defaultdocdir}/pam/modules
%doc %{_defaultdocdir}/pam/pdf
%doc %{_defaultdocdir}/pam/*.txt
%files -n pam-manpages
%{_mandir}/man3/pam*.3%{?ext_man}
%{_mandir}/man3/misc_conv.3%{?ext_man}
%{_mandir}/man5/environment.5%{?ext_man}
%{_mandir}/man5/*.conf.5%{?ext_man}
%{_mandir}/man5/pam.d.5%{?ext_man}
%{_mandir}/man5/motd.5%{?ext_man}
%{_mandir}/man8/PAM.8%{?ext_man}
%{_mandir}/man8/faillock.8%{?ext_man}
%{_mandir}/man8/mkhomedir_helper.8%{?ext_man}
%{_mandir}/man8/pam.8%{?ext_man}
%{_mandir}/man8/pam_access.8%{?ext_man}
%{_mandir}/man8/pam_canonicalize_user.8%{?ext_man}
%{_mandir}/man8/pam_debug.8%{?ext_man}
%{_mandir}/man8/pam_deny.8%{?ext_man}
%{_mandir}/man8/pam_echo.8%{?ext_man}
%{_mandir}/man8/pam_env.8%{?ext_man}
%{_mandir}/man8/pam_exec.8%{?ext_man}
%{_mandir}/man8/pam_faildelay.8%{?ext_man}
%{_mandir}/man8/pam_faillock.8%{?ext_man}
%{_mandir}/man8/pam_filter.8%{?ext_man}
%{_mandir}/man8/pam_ftp.8%{?ext_man}
%{_mandir}/man8/pam_group.8%{?ext_man}
%{_mandir}/man8/pam_issue.8%{?ext_man}
%{_mandir}/man8/pam_keyinit.8%{?ext_man}
%{_mandir}/man8/pam_limits.8%{?ext_man}
%{_mandir}/man8/pam_listfile.8%{?ext_man}
%{_mandir}/man8/pam_localuser.8%{?ext_man}
%{_mandir}/man8/pam_loginuid.8%{?ext_man}
%{_mandir}/man8/pam_mail.8%{?ext_man}
%{_mandir}/man8/pam_mkhomedir.8%{?ext_man}
%{_mandir}/man8/pam_motd.8%{?ext_man}
%{_mandir}/man8/pam_namespace.8%{?ext_man}
%{_mandir}/man8/pam_namespace_helper.8%{?ext_man}
%{_mandir}/man8/pam_nologin.8%{?ext_man}
%{_mandir}/man8/pam_permit.8%{?ext_man}
%{_mandir}/man8/pam_pwhistory.8%{?ext_man}
%{_mandir}/man8/pam_rhosts.8%{?ext_man}
%{_mandir}/man8/pam_rootok.8%{?ext_man}
%{_mandir}/man8/pam_securetty.8%{?ext_man}
%if %{with selinux}
%{_mandir}/man8/pam_selinux.8%{?ext_man}
%{_mandir}/man8/pam_sepermit.8%{?ext_man}
%endif
%{_mandir}/man8/pam_setquota.8%{?ext_man}
%{_mandir}/man8/pam_shells.8%{?ext_man}
%{_mandir}/man8/pam_stress.8%{?ext_man}
%{_mandir}/man8/pam_succeed_if.8%{?ext_man}
%{_mandir}/man8/pam_time.8%{?ext_man}
%{_mandir}/man8/pam_timestamp.8%{?ext_man}
%{_mandir}/man8/pam_timestamp_check.8%{?ext_man}
%{_mandir}/man8/pam_tty_audit.8%{?ext_man}
%{_mandir}/man8/pam_umask.8%{?ext_man}
%{_mandir}/man8/pam_unix.8%{?ext_man}
%{_mandir}/man8/pam_usertype.8%{?ext_man}
%{_mandir}/man8/pam_warn.8%{?ext_man}
%{_mandir}/man8/pam_wheel.8%{?ext_man}
%{_mandir}/man8/pam_xauth.8%{?ext_man}
%{_mandir}/man8/pwhistory_helper.8%{?ext_man}
%{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
%{_mandir}/man8/unix_chkpwd.8%{?ext_man}
%{_mandir}/man8/unix_update.8%{?ext_man}
%endif
%changelog

4
pam.tmpfiles Normal file
View File

@ -0,0 +1,4 @@
#Type Path Mode User Group Age Argument
D /run/faillock 0755 root root - -
D /run/motd.d 0755 root root - -
D /run/pam_timestamp 0755 root root - -

View File

@ -0,0 +1,225 @@
From 940747f88c16e029b69a74e80a2e94f65cb3e628 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Thu, 14 Nov 2024 10:27:28 +0100
Subject: [PATCH] pam_access: rework resolving of tokens as hostname
* modules/pam_access/pam_access.c: separate resolving of IP addresses
from hostnames. Don't resolve TTYs or display variables as hostname
(#834).
Add "nodns" option to disallow resolving of tokens as hostname.
* modules/pam_access/pam_access.8.xml: document nodns option
* modules/pam_access/access.conf.5.xml: document that hostnames should
be written as FQHN.
---
modules/pam_access/access.conf.5.xml | 4 ++
modules/pam_access/pam_access.8.xml | 46 ++++++++++++------
modules/pam_access/pam_access.c | 72 +++++++++++++++++++++++++++-
3 files changed, 105 insertions(+), 17 deletions(-)
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index 0b93db00..10b8ba92 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -233,6 +233,10 @@
An IPv6 link local host address must contain the interface
identifier. IPv6 link local network/netmask is not supported.
</para>
+ <para>
+ Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid
+ confusion with device names or PAM service names.
+ </para>
</refsect1>
<refsect1 xml:id="access.conf-see_also">
diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml
index c991d7a0..71a4f7ee 100644
--- a/modules/pam_access/pam_access.8.xml
+++ b/modules/pam_access/pam_access.8.xml
@@ -22,11 +22,14 @@
<arg choice="opt" rep="norepeat">
debug
</arg>
+ <arg choice="opt" rep="norepeat">
+ noaudit
+ </arg>
<arg choice="opt" rep="norepeat">
nodefgroup
</arg>
<arg choice="opt" rep="norepeat">
- noaudit
+ nodns
</arg>
<arg choice="opt" rep="norepeat">
quiet_log
@@ -132,6 +135,33 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ nodefgroup
+ </term>
+ <listitem>
+ <para>
+ User tokens which are not enclosed in parentheses will not be
+ matched against the group database. The backwards compatible default is
+ to try the group database match even for tokens not enclosed
+ in parentheses.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ nodns
+ </term>
+ <listitem>
+ <para>
+ Do not try to resolve tokens as hostnames, only IPv4 and IPv6
+ addresses will be resolved. Which means to allow login from a
+ remote host, the IP addresses need to be specified in <filename>access.conf</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>
quiet_log
@@ -185,20 +215,6 @@
</listitem>
</varlistentry>
- <varlistentry>
- <term>
- nodefgroup
- </term>
- <listitem>
- <para>
- User tokens which are not enclosed in parentheses will not be
- matched against the group database. The backwards compatible default is
- to try the group database match even for tokens not enclosed
- in parentheses.
- </para>
- </listitem>
- </varlistentry>
-
</variablelist>
</refsect1>
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 48e7c7e9..109115e9 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -100,6 +100,7 @@ struct login_info {
int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */
int noaudit; /* Do not audit denials */
int quiet_log; /* Do not log denials */
+ int nodns; /* Do not try to resolve tokens as hostnames */
const char *fs; /* field separator */
const char *sep; /* list-element separator */
int from_remote_host; /* If PAM_RHOST was used for from */
@@ -154,6 +155,8 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo,
loginfo->noaudit = YES;
} else if (strcmp (argv[i], "quiet_log") == 0) {
loginfo->quiet_log = YES;
+ } else if (strcmp (argv[i], "nodns") == 0) {
+ loginfo->nodns = YES;
} else {
pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
}
@@ -820,7 +823,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
if ((str_len = strlen(string)) > tok_len
&& strcasecmp(tok, string + str_len - tok_len) == 0)
return YES;
- } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */
+ } else if (tok[tok_len - 1] == '.') { /* internet network numbers/subnet (end with ".") */
struct addrinfo hint;
memset (&hint, '\0', sizeof (hint));
@@ -895,6 +898,39 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
}
+static int
+is_device (pam_handle_t *pamh, const char *tok)
+{
+ struct stat st;
+ const char *dev = "/dev/";
+ char *devname;
+
+ devname = malloc (strlen(dev) + strlen (tok) + 1);
+ if (devname == NULL) {
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m");
+ /*
+ * We should return an error and abort, but pam_access has no good
+ * error handling.
+ */
+ return NO;
+ }
+
+ char *cp = stpcpy (devname, dev);
+ strcpy (cp, tok);
+
+ if (lstat(devname, &st) != 0)
+ {
+ free (devname);
+ return NO;
+ }
+ free (devname);
+
+ if (S_ISCHR(st.st_mode))
+ return YES;
+
+ return NO;
+}
+
/* network_netmask_match - match a string against one token
* where string is a hostname or ip (v4,v6) address and tok
* represents either a hostname, a single ip (v4,v6) address
@@ -956,10 +992,42 @@ network_netmask_match (pam_handle_t *pamh,
return NO;
}
}
+ else if (isipaddr(tok, NULL, NULL) == YES)
+ {
+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
+ {
+ if (item->debug)
+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok);
+
+ return NO;
+ }
+ netmask_ptr = NULL;
+ }
+ else if (item->nodns)
+ {
+ /* Only hostnames are left, which we would need to resolve via DNS */
+ return NO;
+ }
else
{
+ /* Bail out on X11 Display entries and ttys. */
+ if (tok[0] == ':')
+ {
+ if (item->debug)
+ pam_syslog (pamh, LOG_DEBUG,
+ "network_netmask_match: tok=%s is X11 display", tok);
+ return NO;
+ }
+ if (is_device (pamh, tok))
+ {
+ if (item->debug)
+ pam_syslog (pamh, LOG_DEBUG,
+ "network_netmask_match: tok=%s is a TTY", tok);
+ return NO;
+ }
+
/*
- * It is either an IP address or a hostname.
+ * It is most likely a hostname.
* Let getaddrinfo sort everything out
*/
if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
--
2.47.0

51
pam_issue-systemd.patch Normal file
View File

@ -0,0 +1,51 @@
From 8401cef10cd5f62849c5fcfef4c82db92712296c Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Wed, 4 Sep 2024 16:07:56 +0200
Subject: [PATCH] pam_issue: only count class user
Since systemd added new types of classes (e.g. manager*), we cannot
use the count of all sessions anymore, but have to check which class
this is.
This is backward compatible, systemd v209 or newer is required.
---
modules/pam_issue/pam_issue.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/modules/pam_issue/pam_issue.c b/modules/pam_issue/pam_issue.c
index aade642ec5..e2c555c405 100644
--- a/modules/pam_issue/pam_issue.c
+++ b/modules/pam_issue/pam_issue.c
@@ -165,13 +165,31 @@ read_issue_quoted(pam_handle_t *pamh, FILE *fp, char **prompt)
{
unsigned int users = 0;
#ifdef USE_LOGIND
- int sessions = sd_get_sessions(NULL);
+ char **sessions_list;
+ int sessions = sd_get_sessions(&sessions_list);
if (sessions < 0) {
pam_syslog(pamh, LOG_ERR, "logind error: %s",
strerror(-sessions));
_pam_drop(issue);
return PAM_SERVICE_ERR;
+ } else if (sessions > 0 && sessions_list != NULL) {
+ int i;
+
+ for (i = 0; i < sessions; i++) {
+ char *class;
+
+ if (sd_session_get_class(sessions_list[i], &class) < 0 || class == NULL)
+ continue;
+
+ if (strncmp(class, "user", 4) == 0) // user, user-early, user-incomplete
+ users++;
+ free(class);
+ }
+
+ for (i = 0; i < sessions; i++)
+ free(sessions_list[i]);
+ free(sessions_list);
} else {
users = sessions;
}

10
postlogin-account.pamd Normal file
View File

@ -0,0 +1,10 @@
#
# /etc/pam.d/postlogin-account - account settings common to login services
#
# This file is included from login service-specific PAM config files,
# and contains the PAM modules which should be called after
# the modules of "common-account".
#
# This file should only be included from services doing real logins,
# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
#

10
postlogin-auth.pamd Normal file
View File

@ -0,0 +1,10 @@
#
# /etc/pam.d/postlogin-auth - authentication settings common to login services
#
# This file is included from login service-specific PAM config files,
# and contains the PAM modules which should be called after
# the modules of "common-auth".
#
# This file should only be included from services doing real logins,
# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
#

10
postlogin-password.pamd Normal file
View File

@ -0,0 +1,10 @@
#
# /etc/pam.d/postlogin-password - password settings common to login services
#
# This file is included from login service-specific PAM config files,
# and contains the PAM modules which should be called after
# the modules of "common-password".
#
# This file should only be included from services doing real logins,
# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
#

10
postlogin-session.pamd Normal file
View File

@ -0,0 +1,10 @@
#
# /etc/pam.d/postlogin-session - session settings common to login services
#
# This file is included from login service-specific PAM config files,
# and contains the PAM modules which should be called after
# the modules of "common-session".
#
# This file should only be included from services doing real logins,
# so like "login", "xdm" or "sshd", but not "chsh" or "cron".
#

79
unix2_chkpwd.8 Normal file
View File

@ -0,0 +1,79 @@
.\" Copyright (C) 2003 International Business Machines Corporation
.\" This file is distributed according to the GNU General Public License.
.\" See the file COPYING in the top level source directory for details.
.\"
.de Sh \" Subsection
.br
.if t .Sp
.ne 5
.PP
\fB\\$1\fR
.PP
..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Ip \" List item
.br
.ie \\n(.$>=3 .ne \\$3
.el .ne 3
.IP "\\$1" \\$2
..
.TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual"
.SH NAME
unix2_chkpwd \- helper binary that verifies the password of the current user
.SH "SYNOPSIS"
.ad l
.hy 0
/sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR
.sp
.ad
.hy
.SH "DESCRIPTION"
.PP
\fBunix2_chkpwd\fR is a helper program for applications that verifies
the password of the current user. It is not intended to be run directly from
the command line and logs a security violation if done so.
It is typically installed setuid root or setgid shadow and called by
applications, which only wishes to do an user authentification and
nothing more.
.SH "OPTIONS"
.PP
unix2_chkpwd requires the following arguments:
.TP
\fIpam_service\fR
The name of the service using unix2_chkpwd. This is required to be one of
the services in /etc/pam.d
.TP
\fIusername\fR
The name of the user whose password you want to verify.
.SH "INPUTS"
.PP
unix2_chkpwd expects the password via stdin.
.SH "RETURN CODES"
.PP
\fBunix2_chkpwd\fR has the following return codes:
.TP
1
unix2_chkpwd was inappropriately called from the command line or the password is incorrect.
.TP
0
The password is correct.
.SH "HISTORY"
Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan
.SH "SEE ALSO"
.PP
\fBpam\fR(8)
.SH AUTHOR
Emily Ratliff.

337
unix2_chkpwd.c Normal file
View File

@ -0,0 +1,337 @@
/*
* Set*id helper program for PAM authentication.
*
* It is supposed to be called from pam_unix2's
* pam_sm_authenticate function if the function notices
* that it's unable to get the password from the shadow file
* because it doesn't have sufficient permissions.
*
* Copyright (C) 2002 SuSE Linux AG
*
* Written by okir@suse.de, loosely based on unix_chkpwd
* by Andrew Morgan.
*/
#include <security/pam_appl.h>
#include <security/_pam_macros.h>
#include <sys/types.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <syslog.h>
#include <unistd.h>
#include <pwd.h>
#include <signal.h>
#include <fcntl.h>
#include <ctype.h>
#include <errno.h>
#define BUFLEN 1024
#ifndef LOGINDEFS
#define LOGINDEFS "/etc/login.defs"
#endif
#define LOGINDEFS_FAIL_DELAY_KEY "FAIL_DELAY"
#define DEFAULT_FAIL_DELAY_S 10
#define PASSWD_CRACKER_DELAY_MS 100
enum {
UNIX_PASSED = 0,
UNIX_FAILED = 1
};
static char * program_name;
static char pass[64];
static int npass = -1;
/*
* Log error messages
*/
static void
_log_err(int err, const char *format,...)
{
va_list args;
va_start(args, format);
openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH);
vsyslog(err, format, args);
va_end(args);
closelog();
}
static void
su_sighandler(int sig)
{
if (sig > 0) {
_log_err(LOG_NOTICE, "caught signal %d.", sig);
exit(sig);
}
}
/*
* Setup signal handlers
*/
static void
setup_signals(void)
{
struct sigaction action;
memset((void *) &action, 0, sizeof(action));
action.sa_handler = su_sighandler;
action.sa_flags = SA_RESETHAND;
sigaction(SIGILL, &action, NULL);
sigaction(SIGTRAP, &action, NULL);
sigaction(SIGBUS, &action, NULL);
sigaction(SIGSEGV, &action, NULL);
action.sa_handler = SIG_IGN;
action.sa_flags = 0;
sigaction(SIGTERM, &action, NULL);
sigaction(SIGHUP, &action, NULL);
sigaction(SIGINT, &action, NULL);
sigaction(SIGQUIT, &action, NULL);
sigaction(SIGALRM, &action, NULL);
}
static int
_converse(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr)
{
struct pam_response *reply;
int num;
if (!(reply = malloc(sizeof(*reply) * num_msg)))
return PAM_CONV_ERR;
for (num = 0; num < num_msg; num++) {
reply[num].resp_retcode = PAM_SUCCESS;
reply[num].resp = NULL;
switch (msg[num]->msg_style) {
case PAM_PROMPT_ECHO_ON:
return PAM_CONV_ERR;
case PAM_PROMPT_ECHO_OFF:
/* read the password from stdin */
if (npass < 0) {
npass = read(STDIN_FILENO, pass, sizeof(pass)-1);
if (npass < 0) {
_log_err(LOG_DEBUG, "error reading password");
return UNIX_FAILED;
}
pass[npass] = '\0';
}
reply[num].resp = strdup(pass);
break;
case PAM_TEXT_INFO:
case PAM_ERROR_MSG:
/* ignored */
break;
default:
/* Must be an error of some sort... */
return PAM_CONV_ERR;
}
}
*resp = reply;
return PAM_SUCCESS;
}
static int
_authenticate(const char *service, const char *user)
{
struct pam_conv conv = { _converse, NULL };
pam_handle_t *pamh;
int err;
err = pam_start(service, user, &conv, &pamh);
if (err != PAM_SUCCESS) {
_log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)",
service, user, err);
return UNIX_FAILED;
}
err = pam_authenticate(pamh, 0);
if (err != PAM_SUCCESS)
_log_err(LOG_ERR, "pam_authenticate(%s, %s): %s",
service, user,
pam_strerror(pamh, err));
if (err == PAM_SUCCESS)
{
err = pam_acct_mgmt(pamh, 0);
if (err == PAM_SUCCESS)
{
int err2 = pam_setcred(pamh, PAM_REFRESH_CRED);
if (err2 != PAM_SUCCESS)
_log_err(LOG_ERR, "pam_setcred(%s, %s): %s",
service, user,
pam_strerror(pamh, err2));
/*
* ignore errors on refresh credentials.
* If this did not work we use the old once.
*/
} else {
_log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s",
service, user,
pam_strerror(pamh, err));
}
}
pam_end(pamh, err);
if (err != PAM_SUCCESS)
return UNIX_FAILED;
return UNIX_PASSED;
}
static char *
getuidname(uid_t uid)
{
struct passwd *pw;
static char username[32];
pw = getpwuid(uid);
if (pw == NULL)
return NULL;
strncpy(username, pw->pw_name, sizeof(username));
username[sizeof(username) - 1] = '\0';
endpwent();
return username;
}
static int
sane_pam_service(const char *name)
{
const char *sp;
char path[128];
if (strlen(name) > 32)
return 0;
for (sp = name; *sp; sp++) {
if (!isalnum(*sp) && *sp != '_' && *sp != '-')
return 0;
}
snprintf(path, sizeof(path), "/etc/pam.d/%s", name);
return access(path, R_OK) == 0;
}
static int
get_system_fail_delay (void)
{
FILE *fs;
char buf[BUFLEN];
long int delay = -1;
char *s;
int l;
fs = fopen(LOGINDEFS, "r");
if (NULL == fs) {
goto bail_out;
}
while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) {
if (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) {
continue;
}
s = buf + strspn(buf, " \t");
l = strcspn(s, " \t");
if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) {
continue;
}
s += l;
s += strspn(s, " \t");
errno = 0;
delay = strtol(s, NULL, 10);
if (errno) {
delay = -1;
}
break;
}
fclose (fs);
bail_out:
delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay;
return (int)delay;
}
int
main(int argc, char *argv[])
{
const char *program_name;
char *service, *user;
int fd;
int result = UNIX_FAILED;
uid_t uid;
uid = getuid();
/*
* Make sure standard file descriptors are connected.
*/
while ((fd = open("/dev/null", O_RDWR)) <= 2)
;
close(fd);
/*
* Get the program name
*/
if (argc == 0)
program_name = "unix2_chkpwd";
else if ((program_name = strrchr(argv[0], '/')) != NULL)
program_name++;
else
program_name = argv[0];
/*
* Catch or ignore as many signal as possible.
*/
setup_signals();
/*
* Check argument list
*/
if (argc < 2 || argc > 3) {
_log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc);
return UNIX_FAILED;
}
/*
* Get the service name and do some sanity checks on it
*/
service = argv[1];
if (!sane_pam_service(service)) {
_log_err(LOG_ERR, "Illegal service name '%s'", service);
return UNIX_FAILED;
}
/*
* Discourage users messing around (fat chance)
*/
if (isatty(STDIN_FILENO) && uid != 0) {
_log_err(LOG_NOTICE,
"Inappropriate use of Unix helper binary [UID=%d]",
uid);
fprintf(stderr,
"This binary is not designed for running in this way\n"
"-- the system administrator has been informed\n");
sleep(10); /* this should discourage/annoy the user */
return UNIX_FAILED;
}
/*
* determine the caller's user name
*/
user = getuidname(uid);
if (argc == 3 && strcmp(user, argv[2])) {
user = argv[2];
}
result = _authenticate(service, user);
/* Discourage use of this program as a
* password cracker */
usleep(PASSWD_CRACKER_DELAY_MS * 1000);
if (result != UNIX_PASSED && uid != 0)
sleep(get_system_fail_delay());
return result;
}