- fix segfault in faillock utility
- remove some cases where the information of existence of an user account could be leaked by the pam_faillock, document the remaining case
This commit is contained in:
Tomas Mraz
parent
a4d4d78281
commit
5310fecf62
|
|
@ -596,8 +596,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/main.c.faillock Linux-PAM-1.1.1/mo
|
||||||
+ status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"),
|
+ status & TALLY_STATUS_RHOST ? "RHOST" : (status & TALLY_STATUS_TTY ? "TTY" : "SVC"),
|
||||||
+ tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I");
|
+ tallies.records[i].source, status & TALLY_STATUS_VALID ? "V":"I");
|
||||||
+ }
|
+ }
|
||||||
|
+ free(tallies.records);
|
||||||
+ }
|
+ }
|
||||||
+ free(tallies.records);
|
|
||||||
+ close(fd);
|
+ close(fd);
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
|
|
@ -698,7 +698,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/Makefile.am.faillock Linux-PAM-1.1
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c
|
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
|
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock 2010-09-17 15:58:41.000000000 +0200
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200
|
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c 2010-09-17 15:58:41.000000000 +0200
|
||||||
@@ -0,0 +1,548 @@
|
@@ -0,0 +1,550 @@
|
||||||
+/*
|
+/*
|
||||||
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
+ * Copyright (c) 2010 Tomas Mraz <tmraz@redhat.com>
|
||||||
+ *
|
+ *
|
||||||
|
|
@ -887,7 +887,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if (*user == '\0') {
|
+ if (*user == '\0') {
|
||||||
+ return PAM_USER_UNKNOWN;
|
+ return PAM_IGNORE;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+ if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) {
|
+ if ((pwd=pam_modutil_getpwnam(pamh, user)) == NULL) {
|
||||||
|
|
@ -897,7 +897,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
||||||
+ else {
|
+ else {
|
||||||
+ pam_syslog(pamh, LOG_ERR, "User unknown");
|
+ pam_syslog(pamh, LOG_ERR, "User unknown");
|
||||||
+ }
|
+ }
|
||||||
+ return PAM_USER_UNKNOWN;
|
+ return PAM_IGNORE;
|
||||||
+ }
|
+ }
|
||||||
+ opts->user = user;
|
+ opts->user = user;
|
||||||
+ opts->uid = pwd->pw_uid;
|
+ opts->uid = pwd->pw_uid;
|
||||||
|
|
@ -1148,6 +1148,8 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
||||||
+
|
+
|
||||||
+ args_parse(pamh, argc, argv, flags, &opts);
|
+ args_parse(pamh, argc, argv, flags, &opts);
|
||||||
+
|
+
|
||||||
|
+ pam_fail_delay(pamh, 2000000); /* 2 sec delay for on failure */
|
||||||
|
+
|
||||||
+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
|
+ if ((rv=get_pam_user(pamh, &opts)) != PAM_SUCCESS) {
|
||||||
+ return rv;
|
+ return rv;
|
||||||
+ }
|
+ }
|
||||||
|
|
@ -1250,7 +1252,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.c.faillock Linux-PAM-
|
||||||
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml
|
diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml
|
||||||
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
|
--- Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock 2010-09-17 15:58:41.000000000 +0200
|
||||||
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
|
+++ Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml 2010-09-17 15:58:41.000000000 +0200
|
||||||
@@ -0,0 +1,385 @@
|
@@ -0,0 +1,396 @@
|
||||||
+<?xml version="1.0" encoding='UTF-8'?>
|
+<?xml version="1.0" encoding='UTF-8'?>
|
||||||
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
|
||||||
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
+ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
|
||||||
|
|
@ -1513,10 +1515,10 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
|
||||||
+ </listitem>
|
+ </listitem>
|
||||||
+ </varlistentry>
|
+ </varlistentry>
|
||||||
+ <varlistentry>
|
+ <varlistentry>
|
||||||
+ <term>PAM_USER_UNKNOWN</term>
|
+ <term>PAM_IGNORE</term>
|
||||||
+ <listitem>
|
+ <listitem>
|
||||||
+ <para>
|
+ <para>
|
||||||
+ User not known.
|
+ User not present in passwd database.
|
||||||
+ </para>
|
+ </para>
|
||||||
+ </listitem>
|
+ </listitem>
|
||||||
+ </varlistentry>
|
+ </varlistentry>
|
||||||
|
|
@ -1538,6 +1540,16 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
|
||||||
+ (<errorcode>EACCES</errorcode>) the module returns
|
+ (<errorcode>EACCES</errorcode>) the module returns
|
||||||
+ <errorcode>PAM_SUCCESS</errorcode>.
|
+ <errorcode>PAM_SUCCESS</errorcode>.
|
||||||
+ </para>
|
+ </para>
|
||||||
|
+ <para>
|
||||||
|
+ Note that using the module in <option>preauth</option> without the
|
||||||
|
+ <option>silent</option> option or with <emphasis>requisite</emphasis>
|
||||||
|
+ control field leaks an information about existence or
|
||||||
|
+ non-existence of an user account in the system because
|
||||||
|
+ the failures are not recorded for the unknown users. The message
|
||||||
|
+ about the user account being locked is never displayed for nonexisting
|
||||||
|
+ user accounts allowing the adversary to infer that a particular account
|
||||||
|
+ is not existing on a system.
|
||||||
|
+ </para>
|
||||||
+ </refsect1>
|
+ </refsect1>
|
||||||
+
|
+
|
||||||
+ <refsect1 id='pam_faillock-examples'>
|
+ <refsect1 id='pam_faillock-examples'>
|
||||||
|
|
@ -1560,6 +1572,7 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
|
||||||
+auth required pam_env.so
|
+auth required pam_env.so
|
||||||
+auth required pam_nologin.so
|
+auth required pam_nologin.so
|
||||||
+# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200
|
+# optionally call: auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200
|
||||||
|
+# to display the message about account being locked
|
||||||
+auth [success=1 default=bad] pam_unix.so
|
+auth [success=1 default=bad] pam_unix.so
|
||||||
+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
|
+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
|
||||||
+auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200
|
+auth sufficient pam_faillock.so authsucc deny=4 even_deny_root unlock_time=1200
|
||||||
|
|
@ -1580,9 +1593,9 @@ diff -up Linux-PAM-1.1.1/modules/pam_faillock/pam_faillock.8.xml.faillock Linux-
|
||||||
+auth required pam_securetty.so
|
+auth required pam_securetty.so
|
||||||
+auth required pam_env.so
|
+auth required pam_env.so
|
||||||
+auth required pam_nologin.so
|
+auth required pam_nologin.so
|
||||||
+auth requisite pam_faillock.so preauth deny=4 even_deny_root unlock_time=1200
|
+auth required pam_faillock.so preauth silent deny=4 even_deny_root unlock_time=1200
|
||||||
+# optionally use required above if you still want to prompt for the password
|
+# optionally use requisite above if you do not want to prompt for the password
|
||||||
+# on locked accounts.
|
+# on locked accounts, possibly with removing the silent option as well
|
||||||
+auth sufficient pam_unix.so
|
+auth sufficient pam_unix.so
|
||||||
+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
|
+auth [default=die] pam_faillock.so authfail deny=4 even_deny_root unlock_time=1200
|
||||||
+auth required pam_deny.so
|
+auth required pam_deny.so
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.c
|
diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.c
|
||||||
--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver 2010-11-05 18:13:28.000000000 +0100
|
--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.c 2010-11-05 18:13:28.000000000 +0100
|
+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.c 2010-11-10 11:46:07.000000000 +0100
|
||||||
@@ -41,13 +41,14 @@
|
@@ -41,13 +41,14 @@
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <sys/stat.h>
|
#include <sys/stat.h>
|
||||||
|
|
@ -36,8 +36,8 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.c.screensaver Linux-PAM-1
|
||||||
return fd;
|
return fd;
|
||||||
}
|
}
|
||||||
diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.h
|
diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1.1.3/modules/pam_faillock/faillock.h
|
||||||
--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver 2010-11-05 18:13:28.000000000 +0100
|
--- Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver 2010-11-10 11:46:07.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.h 2010-11-05 18:27:23.000000000 +0100
|
+++ Linux-PAM-1.1.3/modules/pam_faillock/faillock.h 2010-11-10 11:46:07.000000000 +0100
|
||||||
@@ -45,6 +45,7 @@
|
@@ -45,6 +45,7 @@
|
||||||
#define _FAILLOCK_H
|
#define _FAILLOCK_H
|
||||||
|
|
||||||
|
|
@ -56,8 +56,8 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/faillock.h.screensaver Linux-PAM-1
|
||||||
int update_tally(int fd, struct tally_data *tallies);
|
int update_tally(int fd, struct tally_data *tallies);
|
||||||
#endif
|
#endif
|
||||||
diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/main.c
|
diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/main.c
|
||||||
--- Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver 2010-11-05 18:13:28.000000000 +0100
|
--- Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver 2010-11-10 11:46:07.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.3/modules/pam_faillock/main.c 2010-11-05 18:13:28.000000000 +0100
|
+++ Linux-PAM-1.1.3/modules/pam_faillock/main.c 2010-11-10 11:46:07.000000000 +0100
|
||||||
@@ -106,8 +106,11 @@ do_user(struct options *opts, const char
|
@@ -106,8 +106,11 @@ do_user(struct options *opts, const char
|
||||||
int fd;
|
int fd;
|
||||||
int rv;
|
int rv;
|
||||||
|
|
@ -83,8 +83,8 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/main.c.screensaver Linux-PAM-1.1.3
|
||||||
pwd->pw_uid);
|
pwd->pw_uid);
|
||||||
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
audit_log_user_message(audit_fd, AUDIT_USER_ACCT,
|
||||||
diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c
|
diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c
|
||||||
--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver 2010-11-05 18:13:28.000000000 +0100
|
--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver 2010-11-10 11:46:07.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c 2010-11-05 18:13:28.000000000 +0100
|
+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c 2010-11-10 11:46:07.000000000 +0100
|
||||||
@@ -213,7 +213,7 @@ check_tally(pam_handle_t *pamh, struct o
|
@@ -213,7 +213,7 @@ check_tally(pam_handle_t *pamh, struct o
|
||||||
|
|
||||||
opts->now = time(NULL);
|
opts->now = time(NULL);
|
||||||
|
|
@ -121,7 +121,7 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-P
|
||||||
}
|
}
|
||||||
if (*fd == -1) {
|
if (*fd == -1) {
|
||||||
if (errno == EACCES) {
|
if (errno == EACCES) {
|
||||||
@@ -461,7 +466,7 @@ pam_sm_authenticate(pam_handle_t *pamh,
|
@@ -463,7 +468,7 @@ pam_sm_authenticate(pam_handle_t *pamh,
|
||||||
|
|
||||||
case FAILLOCK_ACTION_AUTHSUCC:
|
case FAILLOCK_ACTION_AUTHSUCC:
|
||||||
rv = check_tally(pamh, &opts, &tallies, &fd);
|
rv = check_tally(pamh, &opts, &tallies, &fd);
|
||||||
|
|
@ -130,7 +130,7 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-P
|
||||||
reset_tally(pamh, &opts, &fd);
|
reset_tally(pamh, &opts, &fd);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
@@ -509,10 +514,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
|
@@ -511,10 +516,8 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -144,8 +144,8 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.c.screensaver Linux-P
|
||||||
tally_cleanup(&tallies, fd);
|
tally_cleanup(&tallies, fd);
|
||||||
|
|
||||||
diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml
|
diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml
|
||||||
--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver 2010-11-05 18:13:28.000000000 +0100
|
--- Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver 2010-11-10 11:46:07.000000000 +0100
|
||||||
+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml 2010-11-05 18:13:28.000000000 +0100
|
+++ Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml 2010-11-10 11:47:14.000000000 +0100
|
||||||
@@ -277,13 +277,9 @@
|
@@ -277,13 +277,9 @@
|
||||||
from the <emphasis>pam_tally2</emphasis> module setup.
|
from the <emphasis>pam_tally2</emphasis> module setup.
|
||||||
</para>
|
</para>
|
||||||
|
|
@ -161,5 +161,5 @@ diff -up Linux-PAM-1.1.3/modules/pam_faillock/pam_faillock.8.xml.screensaver Lin
|
||||||
+ the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module
|
+ the user. This allows <emphasis remap='B'>pam_faillock.so</emphasis> module
|
||||||
+ to work correctly when it is called from a screensaver.
|
+ to work correctly when it is called from a screensaver.
|
||||||
</para>
|
</para>
|
||||||
</refsect1>
|
<para>
|
||||||
|
Note that using the module in <option>preauth</option> without the
|
||||||
|
|
|
||||||
8
pam.spec
8
pam.spec
|
|
@ -3,7 +3,7 @@
|
||||||
Summary: An extensible library which provides authentication for applications
|
Summary: An extensible library which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 1.1.3
|
Version: 1.1.3
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
|
# The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
|
||||||
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
|
# as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
|
||||||
License: BSD and GPLv2+
|
License: BSD and GPLv2+
|
||||||
|
|
@ -345,6 +345,12 @@ fi
|
||||||
%doc doc/adg/*.txt doc/adg/html
|
%doc doc/adg/*.txt doc/adg/html
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Nov 10 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-3
|
||||||
|
- fix segfault in faillock utility
|
||||||
|
- remove some cases where the information of existence of
|
||||||
|
an user account could be leaked by the pam_faillock,
|
||||||
|
document the remaining case
|
||||||
|
|
||||||
* Fri Nov 5 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-2
|
* Fri Nov 5 2010 Tomas Mraz <tmraz@redhat.com> 1.1.3-2
|
||||||
- fix a mistake in the abstract X-socket connect
|
- fix a mistake in the abstract X-socket connect
|
||||||
- make pam_faillock work with screensaver
|
- make pam_faillock work with screensaver
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue