diff --git a/fix-pam-module-output-crash.patch b/fix-pam-module-output-crash.patch deleted file mode 100644 index 62b4b34..0000000 --- a/fix-pam-module-output-crash.patch +++ /dev/null @@ -1,321 +0,0 @@ -From 00fc7d7151408e53728a0df8868ad75dc0c00a7d Mon Sep 17 00:00:00 2001 -From: Bastien Nocera -Date: Wed, 22 Jan 2020 11:50:37 +0100 -Subject: [PATCH 1/4] python: Fix crash when the PAM module outputs too much - data - -This code expected each input (whether echo on or echo off input), -to generate at most one info or error output, which is obviously not -correct. A PAM module with external inputs can throw dozens of messages -and warnings even if the only expected input is a password. - -Allocate those placeholder arrays to be as big as possible to accomodate -chatty PAM modules. - -Closes: https://bugzilla.samba.org/show_bug.cgi?id=14245 - -Signed-off-by: Bastien Nocera ---- - src/python/pypamtest.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/python/pypamtest.c b/src/python/pypamtest.c -index 905c652..c4d0b07 100644 ---- a/src/python/pypamtest.c -+++ b/src/python/pypamtest.c -@@ -852,8 +852,8 @@ static int fill_conv_data(PyObject *py_echo_off, - return ENOMEM; - } - -- conv_data->out_info = new_conv_list(conv_count); -- conv_data->out_err = new_conv_list(conv_count); -+ conv_data->out_info = new_conv_list(PAM_CONV_MSG_MAX); -+ conv_data->out_err = new_conv_list(PAM_CONV_MSG_MAX); - if (conv_data->out_info == NULL || conv_data->out_err == NULL) { - free_conv_data(conv_data); - return ENOMEM; --- -2.24.1 - - -From e106274e4195aa3bc5f87d469c5555764b3becf0 Mon Sep 17 00:00:00 2001 -From: Bastien Nocera -Date: Wed, 22 Jan 2020 12:17:03 +0100 -Subject: [PATCH 2/4] modules: Add pam_chatty module - -Add a simple PAM module that will output "num_lines" lines of PAM info -and/or error output. - -Signed-off-by: Bastien Nocera ---- - src/modules/CMakeLists.txt | 2 +- - src/modules/pam_chatty.c | 176 +++++++++++++++++++++++++++++++++++++ - 2 files changed, 177 insertions(+), 1 deletion(-) - create mode 100644 src/modules/pam_chatty.c - -diff --git a/src/modules/CMakeLists.txt b/src/modules/CMakeLists.txt -index 8e13a0b..e956f4c 100644 ---- a/src/modules/CMakeLists.txt -+++ b/src/modules/CMakeLists.txt -@@ -1,6 +1,6 @@ - project(pam_wrapper-modules C) - --set(PAM_MODULES pam_matrix pam_get_items pam_set_items) -+set(PAM_MODULES pam_matrix pam_get_items pam_set_items pam_chatty) - - set(PAM_LIBRARIES pam) - if (HAVE_PAM_MISC) -diff --git a/src/modules/pam_chatty.c b/src/modules/pam_chatty.c -new file mode 100644 -index 0000000..5ffed5c ---- /dev/null -+++ b/src/modules/pam_chatty.c -@@ -0,0 +1,176 @@ -+/* -+ * Copyright (c) 2015 Andreas Schneider -+ * Copyright (c) 2015 Jakub Hrozek -+ * Copyright (c) 2020 Bastien Nocera -+ * -+ * This program is free software: you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation, either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see . -+ */ -+ -+#include "config.h" -+ -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifndef discard_const -+#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) -+#endif -+ -+#ifndef discard_const_p -+#define discard_const_p(type, ptr) ((type *)discard_const(ptr)) -+#endif -+ -+#ifdef HAVE_SECURITY_PAM_APPL_H -+#include -+#endif -+#ifdef HAVE_SECURITY_PAM_MODULES_H -+#include -+#endif -+#ifdef HAVE_SECURITY_PAM_EXT_H -+#include -+#endif -+ -+#include "pwrap_compat.h" -+ -+#define VERBOSE_KEY "verbose" -+#define ERROR_KEY "error" -+#define INFO_KEY "info" -+#define NUM_LINES_KEY "num_lines=" -+ -+#define DEFAULT_NUM_LINES 3 -+ -+/* We only return up to 16 messages from the PAM conversation. -+ * Value from src/python/pypamtest.c */ -+#define PAM_CONV_MSG_MAX 16 -+ -+#define PAM_CHATTY_FLG_VERBOSE (1 << 0) -+#define PAM_CHATTY_FLG_ERROR (1 << 1) -+#define PAM_CHATTY_FLG_INFO (1 << 1) -+ -+#ifndef discard_const -+#define discard_const(ptr) ((void *)((uintptr_t)(ptr))) -+#endif -+ -+#ifndef discard_const_p -+#define discard_const_p(type, ptr) ((type *)discard_const(ptr)) -+#endif -+ -+static int pam_chatty_conv(pam_handle_t *pamh, -+ const int msg_style, -+ const char *msg) -+{ -+ int ret; -+ const struct pam_conv *conv; -+ const struct pam_message *mesg[1]; -+ struct pam_response *r; -+ struct pam_message *pam_msg; -+ -+ ret = pam_get_item(pamh, PAM_CONV, (const void **) &conv); -+ if (ret != PAM_SUCCESS) { -+ return ret; -+ } -+ -+ pam_msg = malloc(sizeof(struct pam_message)); -+ if (pam_msg == NULL) { -+ return PAM_BUF_ERR; -+ } -+ -+ pam_msg->msg_style = msg_style; -+ pam_msg->msg = discard_const_p(char, msg); -+ -+ mesg[0] = (const struct pam_message *) pam_msg; -+ ret = conv->conv(1, mesg, &r, conv->appdata_ptr); -+ free(pam_msg); -+ -+ return ret; -+} -+ -+/* Evaluate command line arguments and store info about them in the -+ * pam_matrix context -+ */ -+static unsigned int parse_args(int argc, -+ const char *argv[], -+ unsigned int *num_lines) -+{ -+ unsigned int flags = 0; -+ -+ *num_lines = DEFAULT_NUM_LINES; -+ -+ for (; argc-- > 0; ++argv) { -+ if (strncmp(*argv, NUM_LINES_KEY, strlen(NUM_LINES_KEY)) == 0) { -+ if (*(*argv+strlen(NUM_LINES_KEY)) != '\0') { -+ *num_lines = atoi(*argv+strlen(NUM_LINES_KEY)); -+ if (*num_lines <= DEFAULT_NUM_LINES) -+ *num_lines = DEFAULT_NUM_LINES; -+ if (*num_lines > PAM_CONV_MSG_MAX) -+ *num_lines = PAM_CONV_MSG_MAX; -+ } -+ } else if (strncmp(*argv, VERBOSE_KEY, -+ strlen(VERBOSE_KEY)) == 0) { -+ flags |= PAM_CHATTY_FLG_VERBOSE; -+ } else if (strncmp(*argv, ERROR_KEY, -+ strlen(ERROR_KEY)) == 0) { -+ flags |= PAM_CHATTY_FLG_ERROR; -+ } else if (strncmp(*argv, INFO_KEY, -+ strlen(INFO_KEY)) == 0) { -+ flags |= PAM_CHATTY_FLG_INFO; -+ } -+ } -+ -+ return flags; -+} -+ -+PAM_EXTERN int -+pam_sm_authenticate(pam_handle_t *pamh, int flags, -+ int argc, const char *argv[]) -+{ -+ unsigned int optflags, num_lines; -+ -+ optflags = parse_args (argc, argv, &num_lines); -+ if (!(optflags & PAM_CHATTY_FLG_VERBOSE)) -+ return PAM_SUCCESS; -+ -+ if (optflags & PAM_CHATTY_FLG_INFO) { -+ unsigned int i; -+ -+ for (i = 0; i < num_lines; i++) { -+ pam_chatty_conv(pamh, -+ PAM_TEXT_INFO, -+ "Authentication succeeded"); -+ } -+ } -+ -+ if (optflags & PAM_CHATTY_FLG_ERROR) { -+ unsigned int i; -+ -+ for (i = 0; i < num_lines; i++) { -+ pam_chatty_conv(pamh, -+ PAM_ERROR_MSG, -+ "Authentication generated an error"); -+ } -+ } -+ -+ return PAM_SUCCESS; -+} --- -2.24.1 - - -From 348ee7d7fe2e426bc099347b37357710e4f1cf47 Mon Sep 17 00:00:00 2001 -From: Bastien Nocera -Date: Wed, 22 Jan 2020 12:21:05 +0100 -Subject: [PATCH 3/4] tests: Add service file for chatty module - -So we can test it. - -Signed-off-by: Bastien Nocera ---- - tests/CMakeLists.txt | 3 +++ - tests/services/chatty.in | 1 + - 2 files changed, 4 insertions(+) - create mode 100644 tests/services/chatty.in - -diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt -index 997c15e..eb0477c 100644 ---- a/tests/CMakeLists.txt -+++ b/tests/CMakeLists.txt -@@ -22,6 +22,9 @@ configure_file(services/matrix_py.in ${CMAKE_CURRENT_BINARY_DIR}/services/matrix - - configure_file(services/pwrap_get_set.in ${CMAKE_CURRENT_BINARY_DIR}/services/pwrap_get_set @ONLY) - -+set(PAM_CHATTY_PATH "${CMAKE_BINARY_DIR}/src/modules/pam_chatty.so") -+configure_file(services/chatty.in ${CMAKE_CURRENT_BINARY_DIR}/services/chatty @ONLY) -+ - if (OSX) - set(TEST_ENVIRONMENT DYLD_FORCE_FLAT_NAMESPACE=1;DYLD_INSERT_LIBRARIES=${PAM_WRAPPER_LOCATION};PAM_WRAPPER=1;PAM_WRAPPER_SERVICE_DIR=${CMAKE_CURRENT_BINARY_DIR}/services}) - add_definitions(-DOSX) -diff --git a/tests/services/chatty.in b/tests/services/chatty.in -new file mode 100644 -index 0000000..0099b50 ---- /dev/null -+++ b/tests/services/chatty.in -@@ -0,0 +1 @@ -+auth required @PAM_CHATTY_PATH@ verbose num_lines=16 info error --- -2.24.1 - - -From 3a130534011d4d13399cc7626a0a2b92e90e1ab6 Mon Sep 17 00:00:00 2001 -From: Bastien Nocera -Date: Wed, 22 Jan 2020 12:22:30 +0100 -Subject: [PATCH 4/4] tests: Add test for verbose PAM modules - -Signed-off-by: Bastien Nocera ---- - tests/pypamtest_test.py | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/tests/pypamtest_test.py b/tests/pypamtest_test.py -index 32ef65d..db66490 100755 ---- a/tests/pypamtest_test.py -+++ b/tests/pypamtest_test.py -@@ -115,6 +115,11 @@ class PyPamTestRunTest(unittest.TestCase): - self.assertSequenceEqual(res.info, (u'Authentication succeeded',)) - self.assertSequenceEqual(res.errors, ()) - -+ def test_run_chatty_auth(self): -+ neo_password = "secret" -+ tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE) -+ res = pypamtest.run_pamtest("neo", "chatty", [tc], [ neo_password ]) -+ - def test_repr(self): - tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, 1, 2) - r = repr(tc) --- -2.24.1 - diff --git a/pam_wrapper-1.0.7.tar.gz b/pam_wrapper-1.0.7.tar.gz deleted file mode 100644 index 02f57dd..0000000 --- a/pam_wrapper-1.0.7.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:0537302eb6ceb07bcf5233c859b19264375beaa294bb3a9b7f58973981c8b219 -size 90811 diff --git a/pam_wrapper-1.0.8-fix_with_latest_pam.patch b/pam_wrapper-1.0.8-fix_with_latest_pam.patch deleted file mode 100644 index 76007dc..0000000 --- a/pam_wrapper-1.0.8-fix_with_latest_pam.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 491615f2aeda7a57c7389a151d9d9e06f231822c Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 15 Nov 2019 09:45:22 +0100 -Subject: [PATCH 1/2] pwrap: Use a define in pso_copy() - -Signed-off-by: Andreas Schneider ---- - src/pam_wrapper.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/src/pam_wrapper.c b/src/pam_wrapper.c -index d7802fb..8997e36 100644 ---- a/src/pam_wrapper.c -+++ b/src/pam_wrapper.c -@@ -779,12 +779,13 @@ static void pwrap_clean_stale_dirs(const char *dir) - - static int pso_copy(const char *src, const char *dst, const char *pdir, mode_t mode) - { -+#define PSO_COPY_READ_SIZE 9 - int srcfd = -1; - int dstfd = -1; - int rc = -1; - ssize_t bread, bwritten; - struct stat sb; -- char buf[10]; -+ char buf[PSO_COPY_READ_SIZE + 1]; - int cmp; - size_t to_read; - bool found_slash; -@@ -831,10 +832,10 @@ static int pso_copy(const char *src, const char *dst, const char *pdir, mode_t m - to_read = 1; - if (!found_slash && buf[0] == '/') { - found_slash = true; -- to_read = 9; -+ to_read = PSO_COPY_READ_SIZE; - } - -- if (found_slash && bread == 9) { -+ if (found_slash && bread == PSO_COPY_READ_SIZE) { - cmp = memcmp(buf, "etc/pam.d", 9); - if (cmp == 0) { - memcpy(buf, pdir + 1, 9); -@@ -869,6 +870,7 @@ out: - } - - return rc; -+#undef PSO_COPY_READ_SIZE - } - - static void pwrap_init(void) --- -2.24.0 - - -From e4db7c3b2341181d4e8c11b4b05f0d43631b2c90 Mon Sep 17 00:00:00 2001 -From: Andreas Schneider -Date: Fri, 15 Nov 2019 09:58:27 +0100 -Subject: [PATCH 2/2] pwrap: Fix pso_copy to work with libpam.so.0.84.2 - -Signed-off-by: Andreas Schneider ---- - src/pam_wrapper.c | 31 +++++++++++++++++++++++++++---- - 1 file changed, 27 insertions(+), 4 deletions(-) - -diff --git a/src/pam_wrapper.c b/src/pam_wrapper.c -index 8997e36..043c00e 100644 ---- a/src/pam_wrapper.c -+++ b/src/pam_wrapper.c -@@ -779,13 +779,14 @@ static void pwrap_clean_stale_dirs(const char *dir) - - static int pso_copy(const char *src, const char *dst, const char *pdir, mode_t mode) - { --#define PSO_COPY_READ_SIZE 9 -+#define PSO_COPY_READ_SIZE 16 - int srcfd = -1; - int dstfd = -1; - int rc = -1; - ssize_t bread, bwritten; - struct stat sb; - char buf[PSO_COPY_READ_SIZE + 1]; -+ size_t pso_copy_read_size = PSO_COPY_READ_SIZE; - int cmp; - size_t to_read; - bool found_slash; -@@ -832,13 +833,35 @@ static int pso_copy(const char *src, const char *dst, const char *pdir, mode_t m - to_read = 1; - if (!found_slash && buf[0] == '/') { - found_slash = true; -- to_read = PSO_COPY_READ_SIZE; -+ to_read = pso_copy_read_size; - } - - if (found_slash && bread == PSO_COPY_READ_SIZE) { -- cmp = memcmp(buf, "etc/pam.d", 9); -+ cmp = memcmp(buf, "usr/etc/pam.d/%s", 16); - if (cmp == 0) { -- memcpy(buf, pdir + 1, 9); -+ char tmp[16] = {0}; -+ -+ snprintf(tmp, sizeof(tmp), "%s/%%s", pdir + 1); -+ -+ memcpy(buf, tmp, 12); -+ memset(&buf[12], '\0', 4); -+ -+ /* -+ * If we found this string, we need to reduce -+ * the read size to not miss, the next one. -+ */ -+ pso_copy_read_size = 13; -+ } else { -+ cmp = memcmp(buf, "usr/etc/pam.d", 13); -+ if (cmp == 0) { -+ memcpy(buf, pdir + 1, 9); -+ memset(&buf[9], '\0', 4); -+ } else { -+ cmp = memcmp(buf, "etc/pam.d", 9); -+ if (cmp == 0) { -+ memcpy(buf, pdir + 1, 9); -+ } -+ } - } - found_slash = false; - } --- -2.24.0 - diff --git a/pam_wrapper-1.1.0.tar.gz b/pam_wrapper-1.1.0.tar.gz new file mode 100644 index 0000000..a62f078 --- /dev/null +++ b/pam_wrapper-1.1.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:edf46ea658b1bd181c28e30fb59d2a963a29724f34529293957a93a405e18e57 +size 117226 diff --git a/pam_wrapper-1.1.0.tar.gz.asc b/pam_wrapper-1.1.0.tar.gz.asc new file mode 100644 index 0000000..9fa6514 --- /dev/null +++ b/pam_wrapper-1.1.0.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAl50zQ4ACgkQfuD8TcwB +Tj2WPQ/+JDmQ1lkAsTRj/0QxiwihuRR+3NqTNG4sKkyJp/28rgWHhsh/VfW82p5F +BctSIpElZnaTiCHszBBlCee4X48Qyo8cRPKzFL0LGUnRWMizVEpSJwRJbQmDvm5A +pVAcHX8NcR7yR7n7baJVudL/hcdxEdPHREbZVRFJW8ZKNOTqcKmKtxETyh+IKLYE +O1VwJT1NAaLGDSxKyTUREeruAmmGNSDsuW5Md1CHNVsROOdWpDdyXGf/vOvFxXMd +stWkDE6L18nk7RSKWwDF2CGIUJVU/q1KJtBTbGSaXn+jnl+X0p0M/96cnPC4+Q2j +zPgXZ6PsU5DTplqrKqKe62rjejw+Mi6secW5dxL3/xO8o0JpsrItA1CuSPcRn+PC +/Yey6o3NyKv4cqmL2QV5il3VMO4oA3uPOzpqdfa2Fk6/X4DFSeINg6Ge5KNmXo6V +II3BI6eYYFrL424GQ5r6bYMTzqwFYkQOfQgRAqQeayXy8rhAdbsvqL08CEoTHwSc +zlyoDi3U8HYYuRv5YIIinakilKlwsLrAX3/v+dT6tU2fkc0OW7p5/3UHKZPYgNYh +dJlcKTKwDC2tddXnJKK0wk6IHrhyGa8g338jlRN0bX6sqa1a0tLI9//AwmwVRDAj +E2FlDkduK+v3fvSYBksZWmdTC9ReEIlbH5/kHXyJ55qtFcOf110= +=Hd9o +-----END PGP SIGNATURE----- diff --git a/pam_wrapper.changes b/pam_wrapper.changes index 969b59d..cc880f4 100644 --- a/pam_wrapper.changes +++ b/pam_wrapper.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Fri Mar 20 14:13:05 UTC 2020 - Andreas Schneider + +- Update to version 1.1.0 + * Added support for pam_start_confdir() + * Added pam_chatty module + * Added gitlab CI support + * Fixed crash when a PAM module outputs too much data +- Removed pam_wrapper-1.0.8-fix_with_latest_pam.patch +- Removed fix-pam-module-output-crash.patch + ------------------------------------------------------------------- Thu Mar 19 08:07:02 UTC 2020 - Tomáš Chvátal diff --git a/pam_wrapper.spec b/pam_wrapper.spec index 280d246..cffe4ff 100644 --- a/pam_wrapper.spec +++ b/pam_wrapper.spec @@ -24,15 +24,13 @@ ############################# NOTE ################################## %bcond_without python2 Name: pam_wrapper -Version: 1.0.7 +Version: 1.1.0 Release: 0 Summary: A tool to test PAM applications and PAM modules License: GPL-3.0-or-later URL: https://cwrap.org/ Source0: https://ftp.samba.org/pub/cwrap/%{name}-%{version}.tar.gz Source1: %{name}-rpmlintrc -Patch0: pam_wrapper-1.0.8-fix_with_latest_pam.patch -Patch1: fix-pam-module-output-crash.patch BuildRequires: cmake BuildRequires: doxygen BuildRequires: libcmocka-devel @@ -128,7 +126,7 @@ the header files for libpamtest %postun -n libpamtest0 -p /sbin/ldconfig %files -%doc AUTHORS README ChangeLog +%doc AUTHORS README.md CHANGELOG %license LICENSE %{_libdir}/libpam_wrapper.so* %{_libdir}/pkgconfig/pam_wrapper.pc @@ -141,6 +139,7 @@ the header files for libpamtest %{_libdir}/pam_wrapper/pam_get_items.so %{_libdir}/pam_wrapper/pam_set_items.so %{_mandir}/man1/pam_wrapper.1%{?ext_man} +%{_mandir}/man8/pam_chatty.8%{?ext_man} %{_mandir}/man8/pam_matrix.8%{?ext_man} %{_mandir}/man8/pam_get_items.8%{?ext_man} %{_mandir}/man8/pam_set_items.8%{?ext_man}