rpms/pam
6
0
Fork 0
Code Issues Pull Requests Releases Activity

pam_access: rework resolving of tokens as hostname

Browse Source 
Resolves: CVE-2024-10963 and RHEL-66241

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
This commit is contained in:
Iker Pedrosa 2024-11-21 09:21:06 +01:00
parent 3720304984
commit 45b3a13bf9
2 changed files with 233 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

225
pam-1.6.1-pam-access-resolve-ip.patch Normal file
View File

@ -0,0 +1,225 @@
From 940747f88c16e029b69a74e80a2e94f65cb3e628 Mon Sep 17 00:00:00 2001
From: Thorsten Kukuk <kukuk@suse.com>
Date: Thu, 14 Nov 2024 10:27:28 +0100
Subject: [PATCH] pam_access: rework resolving of tokens as hostname
* modules/pam_access/pam_access.c: separate resolving of IP addresses
from hostnames. Don't resolve TTYs or display variables as hostname
(#834).
Add "nodns" option to disallow resolving of tokens as hostname.
* modules/pam_access/pam_access.8.xml: document nodns option
* modules/pam_access/access.conf.5.xml: document that hostnames should
be written as FQHN.
---
modules/pam_access/access.conf.5.xml | 4 ++
modules/pam_access/pam_access.8.xml | 46 ++++++++++++------
modules/pam_access/pam_access.c | 72 +++++++++++++++++++++++++++-
3 files changed, 105 insertions(+), 17 deletions(-)
diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml
index 0b93db00..10b8ba92 100644
--- a/modules/pam_access/access.conf.5.xml
+++ b/modules/pam_access/access.conf.5.xml
@@ -233,6 +233,10 @@
An IPv6 link local host address must contain the interface
identifier. IPv6 link local network/netmask is not supported.
</para>
+ <para>
+ Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid
+ confusion with device names or PAM service names.
+ </para>
</refsect1>
<refsect1 xml:id="access.conf-see_also">
diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml
index c991d7a0..71a4f7ee 100644
--- a/modules/pam_access/pam_access.8.xml
+++ b/modules/pam_access/pam_access.8.xml
@@ -22,11 +22,14 @@
<arg choice="opt" rep="norepeat">
debug
</arg>
+ <arg choice="opt" rep="norepeat">
+ noaudit
+ </arg>
<arg choice="opt" rep="norepeat">
nodefgroup
</arg>
<arg choice="opt" rep="norepeat">
- noaudit
+ nodns
</arg>
<arg choice="opt" rep="norepeat">
quiet_log
@@ -132,6 +135,33 @@
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ nodefgroup
+ </term>
+ <listitem>
+ <para>
+ User tokens which are not enclosed in parentheses will not be
+ matched against the group database. The backwards compatible default is
+ to try the group database match even for tokens not enclosed
+ in parentheses.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>
+ nodns
+ </term>
+ <listitem>
+ <para>
+ Do not try to resolve tokens as hostnames, only IPv4 and IPv6
+ addresses will be resolved. Which means to allow login from a
+ remote host, the IP addresses need to be specified in <filename>access.conf</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>
quiet_log
@@ -185,20 +215,6 @@
</listitem>
</varlistentry>
- <varlistentry>
- <term>
- nodefgroup
- </term>
- <listitem>
- <para>
- User tokens which are not enclosed in parentheses will not be
- matched against the group database. The backwards compatible default is
- to try the group database match even for tokens not enclosed
- in parentheses.
- </para>
- </listitem>
- </varlistentry>
-
</variablelist>
</refsect1>
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 48e7c7e9..109115e9 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -100,6 +100,7 @@ struct login_info {
int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */
int noaudit; /* Do not audit denials */
int quiet_log; /* Do not log denials */
+ int nodns; /* Do not try to resolve tokens as hostnames */
const char *fs; /* field separator */
const char *sep; /* list-element separator */
int from_remote_host; /* If PAM_RHOST was used for from */
@@ -154,6 +155,8 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo,
loginfo->noaudit = YES;
} else if (strcmp (argv[i], "quiet_log") == 0) {
loginfo->quiet_log = YES;
+ } else if (strcmp (argv[i], "nodns") == 0) {
+ loginfo->nodns = YES;
} else {
pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
}
@@ -820,7 +823,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item)
if ((str_len = strlen(string)) > tok_len
&& strcasecmp(tok, string + str_len - tok_len) == 0)
return YES;
- } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */
+ } else if (tok[tok_len - 1] == '.') { /* internet network numbers/subnet (end with ".") */
struct addrinfo hint;
memset (&hint, '\0', sizeof (hint));
@@ -895,6 +898,39 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string,
}
+static int
+is_device (pam_handle_t *pamh, const char *tok)
+{
+ struct stat st;
+ const char *dev = "/dev/";
+ char *devname;
+
+ devname = malloc (strlen(dev) + strlen (tok) + 1);
+ if (devname == NULL) {
+ pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m");
+ /*
+ * We should return an error and abort, but pam_access has no good
+ * error handling.
+ */
+ return NO;
+ }
+
+ char *cp = stpcpy (devname, dev);
+ strcpy (cp, tok);
+
+ if (lstat(devname, &st) != 0)
+ {
+ free (devname);
+ return NO;
+ }
+ free (devname);
+
+ if (S_ISCHR(st.st_mode))
+ return YES;
+
+ return NO;
+}
+
/* network_netmask_match - match a string against one token
* where string is a hostname or ip (v4,v6) address and tok
* represents either a hostname, a single ip (v4,v6) address
@@ -956,10 +992,42 @@ network_netmask_match (pam_handle_t *pamh,
return NO;
}
}
+ else if (isipaddr(tok, NULL, NULL) == YES)
+ {
+ if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
+ {
+ if (item->debug)
+ pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok);
+
+ return NO;
+ }
+ netmask_ptr = NULL;
+ }
+ else if (item->nodns)
+ {
+ /* Only hostnames are left, which we would need to resolve via DNS */
+ return NO;
+ }
else
{
+ /* Bail out on X11 Display entries and ttys. */
+ if (tok[0] == ':')
+ {
+ if (item->debug)
+ pam_syslog (pamh, LOG_DEBUG,
+ "network_netmask_match: tok=%s is X11 display", tok);
+ return NO;
+ }
+ if (is_device (pamh, tok))
+ {
+ if (item->debug)
+ pam_syslog (pamh, LOG_DEBUG,
+ "network_netmask_match: tok=%s is a TTY", tok);
+ return NO;
+ }
+
/*
- * It is either an IP address or a hostname.
+ * It is most likely a hostname.
* Let getaddrinfo sort everything out
*/
if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
--
2.47.0

9
pam.spec
View File

@ -4,7 +4,7 @@
Summary: An extensible library which provides authentication for applications Summary: An extensible library which provides authentication for applications
Name: pam Name: pam
Version: 1.6.1 Version: 1.6.1
Release: 6%{?dist} Release: 7%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ # The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway. # - this option is redundant as the BSD license allows that anyway.
# pam_timestamp and pam_loginuid modules are GPLv2+. # pam_timestamp and pam_loginuid modules are GPLv2+.
@ -31,6 +31,8 @@ Patch4: pam-1.6.1-sast-fixes.patch
Patch5: pam-1.6.1-pam-env-econf-read-file-fixes.patch Patch5: pam-1.6.1-pam-env-econf-read-file-fixes.patch
# https://github.com/linux-pam/linux-pam/commit/641dfd1084508c63f3590e93a35b80ffc50774e5 # https://github.com/linux-pam/linux-pam/commit/641dfd1084508c63f3590e93a35b80ffc50774e5
Patch6: pam-1.6.1-pam-access-local.patch Patch6: pam-1.6.1-pam-access-local.patch
# https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628
Patch7: pam-1.6.1-pam-access-resolve-ip.patch
%{load:%{SOURCE3}} %{load:%{SOURCE3}}
@ -127,6 +129,7 @@ cp %{SOURCE18} .
%patch -P 4 -p1 -b .sast-fixes %patch -P 4 -p1 -b .sast-fixes
%patch -P 5 -p1 -b .pam-env-econf-read-file-fixes %patch -P 5 -p1 -b .pam-env-econf-read-file-fixes
%patch -P 6 -p1 -b .pam-access-local %patch -P 6 -p1 -b .pam-access-local
%patch -P 7 -p1 -b .pam-access-resolve-ip
autoreconf -i autoreconf -i
@ -365,6 +368,10 @@ done
%{_pam_libdir}/libpam_misc.so.%{so_ver}* %{_pam_libdir}/libpam_misc.so.%{so_ver}*
%changelog %changelog
* Thu Nov 21 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.6.1-7
- pam_access: rework resolving of tokens as hostname.
Resolves: CVE-2024-10963 and RHEL-66241
* Mon Nov 4 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.6.1-6 * Mon Nov 4 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.6.1-6
- pam_access: always match local address and clarify LOCAL keyword behaviour. - pam_access: always match local address and clarify LOCAL keyword behaviour.
Resolves: RHEL-65223 Resolves: RHEL-65223