diff --git a/pam-1.1.1-faillock.patch b/pam-1.1.1-faillock.patch index b8f35a3..4a3e465 100644 --- a/pam-1.1.1-faillock.patch +++ b/pam-1.1.1-faillock.patch @@ -596,8 +596,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo + status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"), + tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I"); + } ++ free(tallies.records); + } -+ free(tallies.records); + close(fd); + return 0; +} @@ -698,7 +698,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1 diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c --- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200 +++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,548 @@ +@@ -0,0 +1,550 @@ +/* + * Copyright (c) 2010 Tomas Mraz + * @@ -887,7 +887,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + } + + if (*user == '\0') { -+ return PAM_USER_UNKNOWN; ++ return PAM_IGNORE; + } + + if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) { @@ -897,7 +897,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + else { + pam_syslog(pamh, LOG_ERR, "User unknown"); + } -+ return PAM_USER_UNKNOWN; ++ return PAM_IGNORE; + } + opts->user = user; + opts->uid = pwd->pw_uid; @@ -1148,6 +1148,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- + + args_parse(pamh, argc, argv, flags, &opts); + ++ pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */ ++ + if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) { + return rv; + } @@ -1250,7 +1252,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM- diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml --- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200 +++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200 -@@ -0,0 +1,385 @@ +@@ -0,0 +1,396 @@ + + @@ -1513,10 +1515,10 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux- + + + -+ PAM_USER_UNKNOWN ++ PAM_IGNORE + + -+ User not known. ++ User not present in passwd database. + + + @@ -1538,6 +1540,16 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux- + (EACCES) the module returns + PAM_SUCCESS. + ++ ++ Note that using the module in without the ++ option or with requisite ++ control field leaks an information about existence or ++ non-existence of an user account in the system because ++ the failures are not recorded for the unknown users. The message ++ about the user account being locked is never displayed for nonexisting ++ user accounts allowing the adversary to infer that a particular account ++ is not existing on a system. ++ + + + @@ -1560,6 +1572,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux- +auth required pam_env.so +auth required pam_nologin.so +# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200 ++# to display the message about account being locked +auth [success=1 default=bad] pam_unix.so +auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 +auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200 @@ -1580,9 +1593,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux- +auth required pam_securetty.so +auth required pam_env.so +auth required pam_nologin.so -+auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200 -+# optionally use required above if you still want to prompt for the password -+# on locked accounts. ++auth required pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200 ++# optionally use requisite above if you do not want to prompt for the password ++# on locked accounts, possibly with removing the silent option as well +auth sufficient pam_unix.so +auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200 +auth required pam_deny.so diff --git a/pam-1.1.3-faillock-screensaver.patch b/pam-1.1.3-faillock-screensaver.patch index 1b56a90..ce34835 100644 --- a/pam-1.1.3-faillock-screensaver.patch +++ b/pam-1.1.3-faillock-screensaver.patch @@ -1,6 +1,6 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.c ---- Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver 2010-11-05 18:13:28.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.c 2010-11-05 18:13:28.000000000 +0100 +--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.c 2010-11-10 11:46:07.000000000 +0100 @@ -41,13 +41,14 @@ #include #include @@ -36,8 +36,8 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1 return fd; } diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.h ---- Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver 2010-11-05 18:13:28.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.h 2010-11-05 18:27:23.000000000 +0100 +--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.h 2010-11-10 11:46:07.000000000 +0100 @@ -45,6 +45,7 @@ #define _FAILLOCK_H @@ -56,8 +56,8 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1 int update_tally(int fd, struct tally_data *tallies); #endif diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/main.c ---- Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver 2010-11-05 18:13:28.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/main.c 2010-11-05 18:13:28.000000000 +0100 +--- Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/main.c 2010-11-10 11:46:07.000000000 +0100 @@ -106,8 +106,11 @@ do_user(struct options *opts, const char int fd; int rv; @@ -83,8 +83,8 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3 pwd->pw_uid); audit_log_user_message(audit_fd, AUDIT_USER_ACCT, diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c ---- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver 2010-11-05 18:13:28.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c 2010-11-05 18:13:28.000000000 +0100 +--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c 2010-11-10 11:46:07.000000000 +0100 @@ -213,7 +213,7 @@ check_tally(pam_handle_t *pamh, struct o opts->now = time(NULL); @@ -121,7 +121,7 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-P } if (*fd == -1) { if (errno == EACCES) { -@@ -461,7 +466,7 @@ pam_sm_authenticate(pam_handle_t *pamh, +@@ -463,7 +468,7 @@ pam_sm_authenticate(pam_handle_t *pamh, case FAILLOCK_ACTION_AUTHSUCC: rv = check_tally(pamh, &opts, &tallies, &fd); @@ -130,7 +130,7 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-P reset_tally(pamh, &opts, &fd); } break; -@@ -509,10 +514,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int +@@ -511,10 +516,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int return rv; } @@ -144,8 +144,8 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-P tally_cleanup(&tallies, fd); diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml ---- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver 2010-11-05 18:13:28.000000000 +0100 -+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml 2010-11-05 18:13:28.000000000 +0100 +--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver 2010-11-10 11:46:07.000000000 +0100 ++++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml 2010-11-10 11:47:14.000000000 +0100 @@ -277,13 +277,9 @@ from the pam_tally2 module setup. @@ -161,5 +161,5 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Lin + the user. This allows pam_faillock.so module + to work correctly when it is called from a screensaver. - - + + Note that using the module in without the diff --git a/pam.spec b/pam.spec index d4f32fa..41fac6e 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.1.3 -Release: 2%{?dist} +Release: 3%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, License: BSD and GPLv2+ @@ -345,6 +345,12 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Wed Nov 10 2010 Tomas Mraz 1.1.3-3 +- fix segfault in faillock utility +- remove some cases where the information of existence of + an user account could be leaked by the pam_faillock, + document the remaining case + * Fri Nov 5 2010 Tomas Mraz 1.1.3-2 - fix a mistake in the abstract X-socket connect - make pam_faillock work with screensaver