forked from pool/pam_kwallet
c3c23f9515
- Add patches for handling edge cases and hardening: * 0001-Verify-that-XDG_RUNTIME_DIR-is-usable.patch * 0002-Don-t-do-anything-if-the-password-is-empty.patch * 0003-Exit-early-if-the-target-user-is-root.patch * 0004-Don-t-call-pam_sm_open_session-within-pam_sm_authent.patch OBS-URL: https://build.opensuse.org/request/show/1071111 OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/pam_kwallet?expand=0&rev=264
31 lines
936 B
Diff
31 lines
936 B
Diff
From 09659874cc6cc3ab21314dc3b24a2db1bc77c46c Mon Sep 17 00:00:00 2001
|
|
From: Fabian Vogt <fabian@ritter-vogt.de>
|
|
Date: Mon, 13 Mar 2023 10:09:10 +0100
|
|
Subject: [PATCH 2/4] Don't do anything if the password is empty
|
|
|
|
If for some reason the password is empty (bug or intentionally configured),
|
|
avoid creating a possibly insecure hash.
|
|
---
|
|
pam_kwallet.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/pam_kwallet.c b/pam_kwallet.c
|
|
index 31e93aa..2cd3758 100644
|
|
--- a/pam_kwallet.c
|
|
+++ b/pam_kwallet.c
|
|
@@ -294,6 +294,11 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
|
|
return PAM_IGNORE;
|
|
}
|
|
|
|
+ if (password[0] == '\0') {
|
|
+ pam_syslog(pamh, LOG_NOTICE, "%s: Empty or missing password, doing nothing", logPrefix);
|
|
+ return PAM_IGNORE;
|
|
+ }
|
|
+
|
|
char *key = strdup(password);
|
|
result = pam_set_data(pamh, kwalletPamDataKey, key, cleanup_free);
|
|
|
|
--
|
|
2.39.2
|
|
|