Update to version 1.1.0

OBS-URL: https://build.opensuse.org/package/show/devel:tools/pam_wrapper?expand=0&rev=26
2020-03-20 14:18:29 +00:00 · 2020-03-20 14:18:29 +00:00 · 9d35b7ac91
commit 9d35b7ac91
parent 9d4590cf21
7 changed files with 33 additions and 454 deletions
--- a/fix-pam-module-output-crash.patch
+++ b/fix-pam-module-output-crash.patch
@ -1,321 +0,0 @@
 From 00fc7d7151408e53728a0df8868ad75dc0c00a7d Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 22 Jan 2020 11:50:37 +0100
 Subject: [PATCH 1/4] python: Fix crash when the PAM module outputs too much
 data
 This code expected each input (whether echo on or echo off input),
 to generate at most one info or error output, which is obviously not
 correct. A PAM module with external inputs can throw dozens of messages
 and warnings even if the only expected input is a password.
 Allocate those placeholder arrays to be as big as possible to accomodate
 chatty PAM modules.
 Closes: https://bugzilla.samba.org/show_bug.cgi?id=14245
 Signed-off-by: Bastien Nocera <hadess@hadess.net>
 ---
 src/python/pypamtest.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/src/python/pypamtest.c b/src/python/pypamtest.c
 index 905c652..c4d0b07 100644
 --- a/src/python/pypamtest.c
 +++ b/src/python/pypamtest.c
@@ -852,8 +852,8 @@ static int fill_conv_data(PyObject *py_echo_off,
 		return ENOMEM;
 	}
 -	conv_data->out_info = new_conv_list(conv_count);
 -	conv_data->out_err = new_conv_list(conv_count);
 +	conv_data->out_info = new_conv_list(PAM_CONV_MSG_MAX);
 +	conv_data->out_err = new_conv_list(PAM_CONV_MSG_MAX);
 	if (conv_data->out_info == NULL || conv_data->out_err == NULL) {
 		free_conv_data(conv_data);
 		return ENOMEM;
 -- 
 2.24.1
 From e106274e4195aa3bc5f87d469c5555764b3becf0 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 22 Jan 2020 12:17:03 +0100
 Subject: [PATCH 2/4] modules: Add pam_chatty module
 Add a simple PAM module that will output "num_lines" lines of PAM info
 and/or error output.
 Signed-off-by: Bastien Nocera <hadess@hadess.net>
 ---
 src/modules/CMakeLists.txt |   2 +-
 src/modules/pam_chatty.c   | 176 +++++++++++++++++++++++++++++++++++++
 2 files changed, 177 insertions(+), 1 deletion(-)
 create mode 100644 src/modules/pam_chatty.c
 diff --git a/src/modules/CMakeLists.txt b/src/modules/CMakeLists.txt
 index 8e13a0b..e956f4c 100644
 --- a/src/modules/CMakeLists.txt
 +++ b/src/modules/CMakeLists.txt
@@ -1,6 +1,6 @@
 project(pam_wrapper-modules C)
 -set(PAM_MODULES pam_matrix pam_get_items pam_set_items)
 +set(PAM_MODULES pam_matrix pam_get_items pam_set_items pam_chatty)
 set(PAM_LIBRARIES pam)
 if (HAVE_PAM_MISC)
 diff --git a/src/modules/pam_chatty.c b/src/modules/pam_chatty.c
 new file mode 100644
 index 0000000..5ffed5c
 --- /dev/null
 +++ b/src/modules/pam_chatty.c
@@ -0,0 +1,176 @@
 +/*
 + * Copyright (c) 2015 Andreas Schneider <asn@samba.org>
 + * Copyright (c) 2015 Jakub Hrozek <jakub.hrozek@posteo.se>
 + * Copyright (c) 2020 Bastien Nocera <hadess@hadess.net>
 + *
 + * This program is free software: you can redistribute it and/or modify
 + * it under the terms of the GNU General Public License as published by
 + * the Free Software Foundation, either version 3 of the License, or
 + * (at your option) any later version.
 + *
 + * This program is distributed in the hope that it will be useful,
 + * but WITHOUT ANY WARRANTY; without even the implied warranty of
 + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 + * GNU General Public License for more details.
 + *
 + * You should have received a copy of the GNU General Public License
 + * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 + */
 +
 +#include "config.h"
 +
 +#include <sys/param.h>
 +#include <sys/types.h>
 +#include <sys/stat.h>
 +
 +#include <pwd.h>
 +#include <stdlib.h>
 +#include <stdio.h>
 +#include <stdint.h>
 +#include <string.h>
 +#include <unistd.h>
 +#include <ctype.h>
 +#include <errno.h>
 +#include <time.h>
 +#include <stdint.h>
 +
 +#ifndef discard_const
 +#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
 +#endif
 +
 +#ifndef discard_const_p
 +#define discard_const_p(type, ptr) ((type *)discard_const(ptr))
 +#endif
 +
 +#ifdef HAVE_SECURITY_PAM_APPL_H
 +#include <security/pam_appl.h>
 +#endif
 +#ifdef HAVE_SECURITY_PAM_MODULES_H
 +#include <security/pam_modules.h>
 +#endif
 +#ifdef HAVE_SECURITY_PAM_EXT_H
 +#include <security/pam_ext.h>
 +#endif
 +
 +#include "pwrap_compat.h"
 +
 +#define VERBOSE_KEY	"verbose"
 +#define ERROR_KEY	"error"
 +#define INFO_KEY	"info"
 +#define NUM_LINES_KEY	"num_lines="
 +
 +#define DEFAULT_NUM_LINES 3
 +
 +/* We only return up to 16 messages from the PAM conversation.
 + * Value from src/python/pypamtest.c */
 +#define PAM_CONV_MSG_MAX        16
 +
 +#define PAM_CHATTY_FLG_VERBOSE	(1 << 0)
 +#define PAM_CHATTY_FLG_ERROR	(1 << 1)
 +#define PAM_CHATTY_FLG_INFO	(1 << 1)
 +
 +#ifndef discard_const
 +#define discard_const(ptr) ((void *)((uintptr_t)(ptr)))
 +#endif
 +
 +#ifndef discard_const_p
 +#define discard_const_p(type, ptr) ((type *)discard_const(ptr))
 +#endif
 +
 +static int pam_chatty_conv(pam_handle_t *pamh,
 +			   const int msg_style,
 +			   const char *msg)
 +{
 +	int ret;
 +	const struct pam_conv *conv;
 +	const struct pam_message *mesg[1];
 +	struct pam_response *r;
 +	struct pam_message *pam_msg;
 +
 +	ret = pam_get_item(pamh, PAM_CONV, (const void **) &conv);
 +	if (ret != PAM_SUCCESS) {
 +		return ret;
 +	}
 +
 +	pam_msg = malloc(sizeof(struct pam_message));
 +	if (pam_msg == NULL) {
 +		return PAM_BUF_ERR;
 +	}
 +
 +	pam_msg->msg_style = msg_style;
 +	pam_msg->msg = discard_const_p(char, msg);
 +
 +	mesg[0] = (const struct pam_message *) pam_msg;
 +	ret = conv->conv(1, mesg, &r, conv->appdata_ptr);
 +	free(pam_msg);
 +
 +	return ret;
 +}
 +
 +/* Evaluate command line arguments and store info about them in the
 + * pam_matrix context
 + */
 +static unsigned int parse_args(int argc,
 +			       const char *argv[],
 +			       unsigned int *num_lines)
 +{
 +	unsigned int flags = 0;
 +
 +	*num_lines = DEFAULT_NUM_LINES;
 +
 +	for (; argc-- > 0; ++argv) {
 +		if (strncmp(*argv, NUM_LINES_KEY, strlen(NUM_LINES_KEY)) == 0) {
 +			if (*(*argv+strlen(NUM_LINES_KEY)) != '\0') {
 +				*num_lines = atoi(*argv+strlen(NUM_LINES_KEY));
 +				if (*num_lines <= DEFAULT_NUM_LINES)
 +					*num_lines = DEFAULT_NUM_LINES;
 +				if (*num_lines > PAM_CONV_MSG_MAX)
 +					*num_lines = PAM_CONV_MSG_MAX;
 +			}
 +		} else if (strncmp(*argv, VERBOSE_KEY,
 +				   strlen(VERBOSE_KEY)) == 0) {
 +			flags |= PAM_CHATTY_FLG_VERBOSE;
 +		} else if (strncmp(*argv, ERROR_KEY,
 +				   strlen(ERROR_KEY)) == 0) {
 +			flags |= PAM_CHATTY_FLG_ERROR;
 +		} else if (strncmp(*argv, INFO_KEY,
 +				   strlen(INFO_KEY)) == 0) {
 +			flags |= PAM_CHATTY_FLG_INFO;
 +		}
 +	}
 +
 +	return flags;
 +}
 +
 +PAM_EXTERN int
 +pam_sm_authenticate(pam_handle_t *pamh, int flags,
 +		    int argc, const char *argv[])
 +{
 +	unsigned int optflags, num_lines;
 +
 +	optflags = parse_args (argc, argv, &num_lines);
 +	if (!(optflags & PAM_CHATTY_FLG_VERBOSE))
 +		return PAM_SUCCESS;
 +
 +	if (optflags & PAM_CHATTY_FLG_INFO) {
 +		unsigned int i;
 +
 +		for (i = 0; i < num_lines; i++) {
 +			pam_chatty_conv(pamh,
 +					PAM_TEXT_INFO,
 +					"Authentication succeeded");
 +		}
 +	}
 +
 +	if (optflags & PAM_CHATTY_FLG_ERROR) {
 +		unsigned int i;
 +
 +		for (i = 0; i < num_lines; i++) {
 +			pam_chatty_conv(pamh,
 +					PAM_ERROR_MSG,
 +					"Authentication generated an error");
 +		}
 +	}
 +
 +	return PAM_SUCCESS;
 +}
 -- 
 2.24.1
 From 348ee7d7fe2e426bc099347b37357710e4f1cf47 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 22 Jan 2020 12:21:05 +0100
 Subject: [PATCH 3/4] tests: Add service file for chatty module
 So we can test it.
 Signed-off-by: Bastien Nocera <hadess@hadess.net>
 ---
 tests/CMakeLists.txt     | 3 +++
 tests/services/chatty.in | 1 +
 2 files changed, 4 insertions(+)
 create mode 100644 tests/services/chatty.in
 diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
 index 997c15e..eb0477c 100644
 --- a/tests/CMakeLists.txt
 +++ b/tests/CMakeLists.txt
@@ -22,6 +22,9 @@ configure_file(services/matrix_py.in ${CMAKE_CURRENT_BINARY_DIR}/services/matrix
 configure_file(services/pwrap_get_set.in ${CMAKE_CURRENT_BINARY_DIR}/services/pwrap_get_set @ONLY)
 +set(PAM_CHATTY_PATH "${CMAKE_BINARY_DIR}/src/modules/pam_chatty.so")
 +configure_file(services/chatty.in ${CMAKE_CURRENT_BINARY_DIR}/services/chatty @ONLY)
 +
 if (OSX)
 	set(TEST_ENVIRONMENT DYLD_FORCE_FLAT_NAMESPACE=1;DYLD_INSERT_LIBRARIES=${PAM_WRAPPER_LOCATION};PAM_WRAPPER=1;PAM_WRAPPER_SERVICE_DIR=${CMAKE_CURRENT_BINARY_DIR}/services})
 	add_definitions(-DOSX)
 diff --git a/tests/services/chatty.in b/tests/services/chatty.in
 new file mode 100644
 index 0000000..0099b50
 --- /dev/null
 +++ b/tests/services/chatty.in
@@ -0,0 +1 @@
 +auth		required	@PAM_CHATTY_PATH@ verbose num_lines=16 info error
 -- 
 2.24.1
 From 3a130534011d4d13399cc7626a0a2b92e90e1ab6 Mon Sep 17 00:00:00 2001
 From: Bastien Nocera <hadess@hadess.net>
 Date: Wed, 22 Jan 2020 12:22:30 +0100
 Subject: [PATCH 4/4] tests: Add test for verbose PAM modules
 Signed-off-by: Bastien Nocera <hadess@hadess.net>
 ---
 tests/pypamtest_test.py | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/tests/pypamtest_test.py b/tests/pypamtest_test.py
 index 32ef65d..db66490 100755
 --- a/tests/pypamtest_test.py
 +++ b/tests/pypamtest_test.py
@@ -115,6 +115,11 @@ class PyPamTestRunTest(unittest.TestCase):
         self.assertSequenceEqual(res.info, (u'Authentication succeeded',))
         self.assertSequenceEqual(res.errors, ())
 +    def test_run_chatty_auth(self):
 +        neo_password = "secret"
 +        tc = pypamtest.TestCase(pypamtest.PAMTEST_AUTHENTICATE)
 +        res = pypamtest.run_pamtest("neo", "chatty", [tc], [ neo_password ])
 +
     def test_repr(self):
         tc = pypamtest.TestCase(pypamtest.PAMTEST_CHAUTHTOK, 1, 2)
         r = repr(tc)
 -- 
 2.24.1
--- a/pam_wrapper-1.0.7.tar.gz
+++ b/pam_wrapper-1.0.7.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:0537302eb6ceb07bcf5233c859b19264375beaa294bb3a9b7f58973981c8b219
 size 90811
--- a/pam_wrapper-1.0.8-fix_with_latest_pam.patch
+++ b/pam_wrapper-1.0.8-fix_with_latest_pam.patch
@ -1,126 +0,0 @@
 From 491615f2aeda7a57c7389a151d9d9e06f231822c Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Fri, 15 Nov 2019 09:45:22 +0100
 Subject: [PATCH 1/2] pwrap: Use a define in pso_copy()
 Signed-off-by: Andreas Schneider <asn@samba.org>
 ---
 src/pam_wrapper.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
 diff --git a/src/pam_wrapper.c b/src/pam_wrapper.c
 index d7802fb..8997e36 100644
 --- a/src/pam_wrapper.c
 +++ b/src/pam_wrapper.c
@@ -779,12 +779,13 @@ static void pwrap_clean_stale_dirs(const char *dir)
 static int pso_copy(const char *src, const char *dst, const char *pdir, mode_t mode)
 {
 +#define PSO_COPY_READ_SIZE 9
 	int srcfd = -1;
 	int dstfd = -1;
 	int rc = -1;
 	ssize_t bread, bwritten;
 	struct stat sb;
 -	char buf[10];
 +	char buf[PSO_COPY_READ_SIZE + 1];
 	int cmp;
 	size_t to_read;
 	bool found_slash;
@@ -831,10 +832,10 @@ static int pso_copy(const char *src, const char *dst, const char *pdir, mode_t m
 		to_read = 1;
 		if (!found_slash && buf[0] == '/') {
 			found_slash = true;
 -			to_read = 9;
 +			to_read = PSO_COPY_READ_SIZE;
 		}
 -		if (found_slash && bread == 9) {
 +		if (found_slash && bread == PSO_COPY_READ_SIZE) {
 			cmp = memcmp(buf, "etc/pam.d", 9);
 			if (cmp == 0) {
 				memcpy(buf, pdir + 1, 9);
@@ -869,6 +870,7 @@ out:
 	}
 	return rc;
 +#undef PSO_COPY_READ_SIZE
 }
 static void pwrap_init(void)
 -- 
 2.24.0
 From e4db7c3b2341181d4e8c11b4b05f0d43631b2c90 Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Fri, 15 Nov 2019 09:58:27 +0100
 Subject: [PATCH 2/2] pwrap: Fix pso_copy to work with libpam.so.0.84.2
 Signed-off-by: Andreas Schneider <asn@samba.org>
 ---
 src/pam_wrapper.c | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)
 diff --git a/src/pam_wrapper.c b/src/pam_wrapper.c
 index 8997e36..043c00e 100644
 --- a/src/pam_wrapper.c
 +++ b/src/pam_wrapper.c
@@ -779,13 +779,14 @@ static void pwrap_clean_stale_dirs(const char *dir)
 static int pso_copy(const char *src, const char *dst, const char *pdir, mode_t mode)
 {
 -#define PSO_COPY_READ_SIZE 9
 +#define PSO_COPY_READ_SIZE 16
 	int srcfd = -1;
 	int dstfd = -1;
 	int rc = -1;
 	ssize_t bread, bwritten;
 	struct stat sb;
 	char buf[PSO_COPY_READ_SIZE + 1];
 +	size_t pso_copy_read_size = PSO_COPY_READ_SIZE;
 	int cmp;
 	size_t to_read;
 	bool found_slash;
@@ -832,13 +833,35 @@ static int pso_copy(const char *src, const char *dst, const char *pdir, mode_t m
 		to_read = 1;
 		if (!found_slash && buf[0] == '/') {
 			found_slash = true;
 -			to_read = PSO_COPY_READ_SIZE;
 +			to_read = pso_copy_read_size;
 		}
 		if (found_slash && bread == PSO_COPY_READ_SIZE) {
 -			cmp = memcmp(buf, "etc/pam.d", 9);
 +			cmp = memcmp(buf, "usr/etc/pam.d/%s", 16);
 			if (cmp == 0) {
 -				memcpy(buf, pdir + 1, 9);
 +				char tmp[16] = {0};
 +
 +				snprintf(tmp, sizeof(tmp), "%s/%%s", pdir + 1);
 +
 +				memcpy(buf, tmp, 12);
 +				memset(&buf[12], '\0', 4);
 +
 +				/*
 +				 * If we found this string, we need to reduce
 +				 * the read size to not miss, the next one.
 +				 */
 +				pso_copy_read_size = 13;
 +			} else {
 +				cmp = memcmp(buf, "usr/etc/pam.d", 13);
 +				if (cmp == 0) {
 +					memcpy(buf, pdir + 1, 9);
 +					memset(&buf[9], '\0', 4);
 +				} else {
 +					cmp = memcmp(buf, "etc/pam.d", 9);
 +					if (cmp == 0) {
 +						memcpy(buf, pdir + 1, 9);
 +					}
 +				}
 			}
 			found_slash = false;
 		}
 -- 
 2.24.0
--- a/pam_wrapper-1.1.0.tar.gz
+++ b/pam_wrapper-1.1.0.tar.gz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:edf46ea658b1bd181c28e30fb59d2a963a29724f34529293957a93a405e18e57
 size 117226
--- a/pam_wrapper-1.1.0.tar.gz.asc
+++ b/pam_wrapper-1.1.0.tar.gz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEjf9T4Y8qvI2PPJIjfuD8TcwBTj0FAl50zQ4ACgkQfuD8TcwB
 Tj2WPQ/+JDmQ1lkAsTRj/0QxiwihuRR+3NqTNG4sKkyJp/28rgWHhsh/VfW82p5F
 BctSIpElZnaTiCHszBBlCee4X48Qyo8cRPKzFL0LGUnRWMizVEpSJwRJbQmDvm5A
 pVAcHX8NcR7yR7n7baJVudL/hcdxEdPHREbZVRFJW8ZKNOTqcKmKtxETyh+IKLYE
 O1VwJT1NAaLGDSxKyTUREeruAmmGNSDsuW5Md1CHNVsROOdWpDdyXGf/vOvFxXMd
 stWkDE6L18nk7RSKWwDF2CGIUJVU/q1KJtBTbGSaXn+jnl+X0p0M/96cnPC4+Q2j
 zPgXZ6PsU5DTplqrKqKe62rjejw+Mi6secW5dxL3/xO8o0JpsrItA1CuSPcRn+PC
 /Yey6o3NyKv4cqmL2QV5il3VMO4oA3uPOzpqdfa2Fk6/X4DFSeINg6Ge5KNmXo6V
 II3BI6eYYFrL424GQ5r6bYMTzqwFYkQOfQgRAqQeayXy8rhAdbsvqL08CEoTHwSc
 zlyoDi3U8HYYuRv5YIIinakilKlwsLrAX3/v+dT6tU2fkc0OW7p5/3UHKZPYgNYh
 dJlcKTKwDC2tddXnJKK0wk6IHrhyGa8g338jlRN0bX6sqa1a0tLI9//AwmwVRDAj
 E2FlDkduK+v3fvSYBksZWmdTC9ReEIlbH5/kHXyJ55qtFcOf110=
 =Hd9o
 -----END PGP SIGNATURE-----
--- a/pam_wrapper.changes
+++ b/pam_wrapper.changes
@ -1,3 +1,14 @@
 -------------------------------------------------------------------
 Fri Mar 20 14:13:05 UTC 2020 - Andreas Schneider <asn@cryptomilk.org>
 - Update to version 1.1.0
  * Added support for pam_start_confdir()
  * Added pam_chatty module
  * Added gitlab CI support
  * Fixed crash when a PAM module outputs too much data
 - Removed pam_wrapper-1.0.8-fix_with_latest_pam.patch
 - Removed fix-pam-module-output-crash.patch
 -------------------------------------------------------------------
 Thu Mar 19 08:07:02 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com>
--- a/pam_wrapper.spec
+++ b/pam_wrapper.spec
@ -24,15 +24,13 @@
 ############################# NOTE ##################################
 %bcond_without python2
 Name:           pam_wrapper
-Version:        1.0.7
+Version:        1.1.0
 Release:        0
 Summary:        A tool to test PAM applications and PAM modules
 License:        GPL-3.0-or-later
 URL:            https://cwrap.org/
 Source0:        https://ftp.samba.org/pub/cwrap/%{name}-%{version}.tar.gz
 Source1:        %{name}-rpmlintrc
 Patch0:         pam_wrapper-1.0.8-fix_with_latest_pam.patch
 Patch1:         fix-pam-module-output-crash.patch
 BuildRequires:  cmake
 BuildRequires:  doxygen
 BuildRequires:  libcmocka-devel
@ -128,7 +126,7 @@ the header files for libpamtest
 %postun -n libpamtest0 -p /sbin/ldconfig
 %files
-%doc AUTHORS README ChangeLog
+%doc AUTHORS README.md CHANGELOG
 %license LICENSE
 %{_libdir}/libpam_wrapper.so*
 %{_libdir}/pkgconfig/pam_wrapper.pc
@ -141,6 +139,7 @@ the header files for libpamtest
 %{_libdir}/pam_wrapper/pam_get_items.so
 %{_libdir}/pam_wrapper/pam_set_items.so
 %{_mandir}/man1/pam_wrapper.1%{?ext_man}
 %{_mandir}/man8/pam_chatty.8%{?ext_man}
 %{_mandir}/man8/pam_matrix.8%{?ext_man}
 %{_mandir}/man8/pam_get_items.8%{?ext_man}
 %{_mandir}/man8/pam_set_items.8%{?ext_man}