From 2a8b5fe8cce7b8ac5831e02fceb04f3767da3763 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Fri, 10 Nov 2023 10:48:17 +0100 Subject: [PATCH] - libpam: use close_range() to close file descriptors - fix formatting of audit messages Resolves: RHEL-5099 Resolves: RHEL-5100 Signed-off-by: Iker Pedrosa --- pam-1.5.1-audit-messages-formatting.patch | 72 +++++++++++++++++++++++ pam-1.5.1-libpam-close-range.patch | 55 +++++++++++++++++ pam.spec | 13 +++- 3 files changed, 139 insertions(+), 1 deletion(-) create mode 100644 pam-1.5.1-audit-messages-formatting.patch create mode 100644 pam-1.5.1-libpam-close-range.patch diff --git a/pam-1.5.1-audit-messages-formatting.patch b/pam-1.5.1-audit-messages-formatting.patch new file mode 100644 index 0000000..aa9c626 --- /dev/null +++ b/pam-1.5.1-audit-messages-formatting.patch @@ -0,0 +1,72 @@ +From c85513220c1bd3150e39c6277422d29cfa44acc7 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Thu, 27 Jul 2023 13:14:42 -0400 +Subject: [PATCH 1/2] pam_faillock: fix formatting of audit messages + +pam_faillock uses audit_log_user_message to write to the audit system. +It does not take an op argument, so you have to add one yourself. Otherwise +the pam_faillock part of the message is lost because it's not in key=value +format. + +Also, we can't use uid in that event because the kernel already adds that +field. What we normally do is use 'suid' (meaning sender uid) as the +field name. +--- + modules/pam_faillock/pam_faillock.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c +index ca1c7035..a89909ab 100644 +--- a/modules/pam_faillock/pam_faillock.c ++++ b/modules/pam_faillock/pam_faillock.c +@@ -248,7 +248,7 @@ check_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies + + (void)pam_get_item(pamh, PAM_TTY, &tty); + (void)pam_get_item(pamh, PAM_RHOST, &rhost); +- snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); ++ snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid); + audit_log_user_message(audit_fd, AUDIT_RESP_ACCT_UNLOCK_TIMED, buf, + rhost, NULL, tty, 1); + } +@@ -364,7 +364,7 @@ write_tally(pam_handle_t *pamh, struct options *opts, struct tally_data *tallies + errno == EAFNOSUPPORT)) + return PAM_SYSTEM_ERR; + +- snprintf(buf, sizeof(buf), "pam_faillock uid=%u ", opts->uid); ++ snprintf(buf, sizeof(buf), "op=pam_faillock suid=%u ", opts->uid); + audit_log_user_message(audit_fd, AUDIT_ANOM_LOGIN_FAILURES, buf, + NULL, NULL, NULL, 1); + +-- +2.41.0 + + +From 1648734a69c31e9ce834da70144ac9a453296807 Mon Sep 17 00:00:00 2001 +From: Steve Grubb +Date: Fri, 4 Aug 2023 17:45:45 -0400 +Subject: [PATCH 2/2] pam_selinux: fix formatting of audit messages + +pam_selinux uses audit_log_user_message to write to the audit system. +It does not take an op argument, so you have to add one yourself. Otherwise +the pam_selinux part of the message is lost because it's not in key=value +format. +--- + modules/pam_selinux/pam_selinux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c +index e52e0fc4..713b3f73 100644 +--- a/modules/pam_selinux/pam_selinux.c ++++ b/modules/pam_selinux/pam_selinux.c +@@ -97,7 +97,7 @@ send_audit_message(const pam_handle_t *pamh, int success, const char *default_co + pam_syslog(pamh, LOG_ERR, "Error translating selected context '%s'.", selected_context); + selected_raw = NULL; + } +- if (asprintf(&msg, "pam: default-context=%s selected-context=%s", ++ if (asprintf(&msg, "op=pam_selinux default-context=%s selected-context=%s", + default_raw ? default_raw : (default_context ? default_context : "?"), + selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) { + msg = NULL; /* asprintf leaves msg in undefined state on failure */ +-- +2.41.0 + diff --git a/pam-1.5.1-libpam-close-range.patch b/pam-1.5.1-libpam-close-range.patch new file mode 100644 index 0000000..70d61b3 --- /dev/null +++ b/pam-1.5.1-libpam-close-range.patch @@ -0,0 +1,55 @@ +diff -up Linux-PAM-1.5.1/configure.ac.libpam-close-range Linux-PAM-1.5.1/configure.ac +--- Linux-PAM-1.5.1/configure.ac.libpam-close-range 2023-11-10 10:35:00.142833269 +0100 ++++ Linux-PAM-1.5.1/configure.ac 2023-11-10 10:36:29.158987392 +0100 +@@ -552,6 +552,7 @@ AC_CHECK_FUNCS(inet_ntop inet_pton innet + AC_CHECK_FUNCS(quotactl) + AC_CHECK_FUNCS(unshare) + AC_CHECK_FUNCS([ruserok_af ruserok], [break]) ++AC_CHECK_FUNCS(close_range) + BACKUP_LIBS=$LIBS + LIBS="$LIBS -lutil" + AC_CHECK_FUNCS([logwtmp]) +diff -up Linux-PAM-1.5.1/libpam/pam_modutil_sanitize.c.libpam-close-range Linux-PAM-1.5.1/libpam/pam_modutil_sanitize.c +--- Linux-PAM-1.5.1/libpam/pam_modutil_sanitize.c.libpam-close-range 2020-11-25 17:57:02.000000000 +0100 ++++ Linux-PAM-1.5.1/libpam/pam_modutil_sanitize.c 2023-11-10 10:35:00.142833269 +0100 +@@ -11,6 +11,10 @@ + #include + #include + ++#ifndef CLOSE_RANGE_UNSHARE ++#define CLOSE_RANGE_UNSHARE (1U << 1) ++#endif /* CLOSE_RANGE_UNSHARE */ ++ + /* + * Creates a pipe, closes its write end, redirects fd to its read end. + * Returns fd on success, -1 otherwise. +@@ -84,9 +88,8 @@ redirect_out(pam_handle_t *pamh, enum pa + return fd; + } + +-/* Closes all descriptors after stderr. */ + static void +-close_fds(void) ++close_fds_iteratively(void) + { + /* + * An arbitrary upper limit for the maximum file descriptor number +@@ -111,6 +114,18 @@ close_fds(void) + close(fd); + } + ++/* Closes all descriptors after stderr. */ ++static void ++close_fds(void) ++{ ++#ifdef HAVE_CLOSE_RANGE ++ if (close_range(STDERR_FILENO+1, -1U, CLOSE_RANGE_UNSHARE) == 0) ++ return; ++#endif /* HAVE_CLOSE_RANGE */ ++ ++ close_fds_iteratively(); ++} ++ + int + pam_modutil_sanitize_helper_fds(pam_handle_t *pamh, + enum pam_modutil_redirect_fd stdin_mode, diff --git a/pam.spec b/pam.spec index 80ae6ab..c945af6 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.5.1 -Release: 15%{?dist} +Release: 16%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -51,6 +51,11 @@ Patch13: pam-1.5.1-pam-faillock-avoid-logging-erroneous.patch # https://github.com/linux-pam/linux-pam/commit/55f206447a1e4ee26e307e7a9c069236e823b1a5 # https://github.com/linux-pam/linux-pam/commit/80bfda5962e5be3daa70e0fc8c75fc97d1c55121 Patch14: pam-1.5.1-pam-misc-configurable.patch +# https://github.com/linux-pam/linux-pam/commit/d6103b30050554d7b6ca6d55cb5b4ed3c9516663 +Patch15: pam-1.5.1-libpam-close-range.patch +# https://github.com/linux-pam/linux-pam/commit/c85513220c1bd3150e39c6277422d29cfa44acc7 +# https://github.com/linux-pam/linux-pam/commit/1648734a69c31e9ce834da70144ac9a453296807 +Patch16: pam-1.5.1-audit-messages-formatting.patch %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -147,6 +152,8 @@ cp %{SOURCE18} . %patch12 -p1 -b .pam-faillock-clarify-missing-user %patch13 -p1 -b .pam-faillock-avoid-logging-erroneous %patch14 -p1 -b .pam-misc-configurable +%patch15 -p1 -b .libpam-close-range +%patch16 -p1 -b .audit-messages-formatting autoreconf -i @@ -402,6 +409,10 @@ done %doc doc/sag/*.txt doc/sag/html %changelog +* Fri Oct 10 2023 Iker Pedrosa - 1.5.1-16 +- libpam: use close_range() to close file descriptors. Resolves: RHEL-5099 +- fix formatting of audit messages. Resolves: RHEL-5100 + * Mon Jun 26 2023 Iker Pedrosa - 1.5.1-15 - pam_misc: make length of misc_conv() configurable and set to 4096. Resolves: #2215007