Accepting request 883597 from home:jmoellers:branches:Linux-PAM

bsc1184358 OBS-URL: https://build.opensuse.org/request/show/883597 OBS-URL: https://build.opensuse.org/package/show/Linux-PAM/pam?expand=0&rev=236
2021-04-07 13:01:25 +00:00 · 2021-04-07 13:01:25 +00:00 · 24e9b7b6ee
commit 24e9b7b6ee
parent 9080c178e7
3 changed files with 102 additions and 0 deletions
--- a/bsc1184358-prevent-LOCAL-from-being-resolved.patch
+++ b/bsc1184358-prevent-LOCAL-from-being-resolved.patch
@ -0,0 +1,90 @@
+From c4dbba499f335ad88536244254d2d444b8e1c17c Mon Sep 17 00:00:00 2001
+From: Tomas Mraz <tmraz@fedoraproject.org>
+Date: Tue, 6 Apr 2021 12:27:38 +0200
+Subject: [PATCH] pam_access: clean up the remote host matching code
+
+* modules/pam_access/pam_access.c (from_match): Split out remote_match()
+  function and avoid calling it when matching against LOCAL keyword.
+  There is also no point in doing domain match against TTY or SERVICE.
+---
+ modules/pam_access/pam_access.c | 42 +++++++++++++++++++++------------
+ 1 file changed, 27 insertions(+), 15 deletions(-)
+
+diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
+index 98848c54..b493c7bd 100644
+--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
+@@ -160,6 +160,7 @@ static int list_match (pam_handle_t *, char *, char *, struct login_info *,
+ static int user_match (pam_handle_t *, char *, struct login_info *);
+ static int group_match (pam_handle_t *, const char *, const char *, int);
+ static int from_match (pam_handle_t *, char *, struct login_info *);
+static int remote_match (pam_handle_t *, char *, struct login_info *);
+ static int string_match (pam_handle_t *, const char *, const char *, int);
+ static int network_netmask_match (pam_handle_t *, const char *, const char *, struct login_info *);
+ 
+@@ -589,11 +590,9 @@ group_match (pam_handle_t *pamh, const char *tok, const char* usr,
+ /* from_match - match a host or tty against a list of tokens */
+ 
+ static int
+-from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
+from_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+ {
+     const char *string = item->from;
+-    int        tok_len;
+-    int        str_len;
+     int        rv;
+ 
+     if (item->debug)
+@@ -616,13 +615,28 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
+     } else if ((rv = string_match(pamh, tok, string, item->debug)) != NO) {
+         /* ALL or exact match */
+ 	return rv;
+-    } else if (tok[0] == '.') {			/* domain: match last fields */
+-	if ((str_len = strlen(string)) > (tok_len = strlen(tok))
+-	    && strcasecmp(tok, string + str_len - tok_len) == 0)
+-	    return (YES);
+-    } else if (item->from_remote_host == 0) {	/* local: no PAM_RHOSTS */
+-	if (strcasecmp(tok, "LOCAL") == 0)
+-	    return (YES);
+    } else if (strcasecmp(tok, "LOCAL") == 0) {
+	    /* LOCAL matches only local accesses */
+	    if (!item->from_remote_host)
+	        return YES;
+	    return NO;
+    } else if (item->from_remote_host) {
+        return remote_match(pamh, tok, item);
+    }
+    return NO;
+}
+
+static int
+remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
+{
+    const char *string = item->from;
+    size_t tok_len = strlen(tok);
+    size_t str_len;
+
+    if (tok[0] == '.') {			/* domain: match last fields */
+      if ((str_len = strlen(string)) > tok_len
+	  && strcasecmp(tok, string + str_len - tok_len) == 0)
+	return YES;
+     } else if (tok[(tok_len = strlen(tok)) - 1] == '.') {
+       struct addrinfo hint;
+ 
+@@ -661,13 +675,11 @@ from_match (pam_handle_t *pamh UNUSED, char *tok, struct login_info *item)
+ 	      runp = runp->ai_next;
+ 	    }
+ 	}
+-    } else {
+-      /* Assume network/netmask with a IP of a host.  */
+-      if (network_netmask_match(pamh, tok, string, item))
+-	return YES;
+      return NO;
+     }
+ 
+-    return NO;
+    /* Assume network/netmask with an IP of a host.  */
+    return network_netmask_match(pamh, tok, string, item);
+ }
+ 
+ /* string_match - match a string against one token */
--- a/pam.changes
+++ b/pam.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Wed Apr  7 12:20:40 UTC 2021 - Josef Möllers <josef.moellers@suse.com>
+
+- If "LOCAL" is configured in access.conf, and a login attempt from
+  a remote host is made, pam_access tries to resolve "LOCAL" as
+  a hostname and logs a failure.
+  Checking explicitly for "LOCAL" and rejecting access in this case
+  resolves this issue.
+  [bsc#1184358, bsc1184358-prevent-LOCAL-from-being-resolved.patch]
+
 -------------------------------------------------------------------
 Wed Mar 31 11:43:17 UTC 2021 - Josef Möllers <josef.moellers@suse.com>

--- a/pam.spec
+++ b/pam.spec
@ -66,6 +66,7 @@ Patch7:         pam_tally2-removal.patch
 Patch8:         pam-bsc1177858-dont-free-environment-string.patch
 Patch9:         pam-pam_cracklib-add-usersubstr.patch
 Patch10:        pam-bsc1181443-make-nofile-unlimited-mean-nr_open.patch
+Patch11:        bsc1184358-prevent-LOCAL-from-being-resolved.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
 BuildRequires:  cracklib-devel
@ -178,6 +179,7 @@ cp -a %{SOURCE12} .
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
 %if 0%{?usrmerged}
 %patch99 -p1
 %endif