From 786ce63f9d178da7011f187f24a32d829bec076a Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Mon, 10 Sep 2018 14:25:15 +0200 Subject: [PATCH] Coverity fixes, pam_umask added to postlogin add pam_umask to postlogin PAM configuration file fix some issues found by Coverity scan --- fingerprint-auth.pamd | 2 +- pam-1.3.1-coverity.patch | 185 +++++++++++++++++++++++++++++++++++++++ pam.spec | 8 +- password-auth.pamd | 2 +- postlogin.pamd | 9 +- smartcard-auth.pamd | 2 +- system-auth.pamd | 2 +- 7 files changed, 201 insertions(+), 9 deletions(-) create mode 100644 pam-1.3.1-coverity.patch diff --git a/fingerprint-auth.pamd b/fingerprint-auth.pamd index 604b95f..aae6ecc 100644 --- a/fingerprint-auth.pamd +++ b/fingerprint-auth.pamd @@ -1,6 +1,6 @@ #%PAM-1.0 # This file is auto-generated. -# User changes will be destroyed the next time authconfig is run. +# User changes will be destroyed the next time authselect is run. auth required pam_env.so auth sufficient pam_fprintd.so auth required pam_deny.so diff --git a/pam-1.3.1-coverity.patch b/pam-1.3.1-coverity.patch new file mode 100644 index 0000000..3fcc86a --- /dev/null +++ b/pam-1.3.1-coverity.patch @@ -0,0 +1,185 @@ +diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c +index 106ef7c..b2e94c7 100644 +--- a/libpam/pam_handlers.c ++++ b/libpam/pam_handlers.c +@@ -282,7 +282,6 @@ _pam_open_config_file(pam_handle_t *pamh + { + char *p; + FILE *f; +- int err = 0; + + /* Absolute path */ + if (service[0] == '/') { +diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c +index be53f34..07dce36 100644 +--- a/libpam_misc/misc_conv.c ++++ b/libpam_misc/misc_conv.c +@@ -211,7 +211,7 @@ static int read_string(int echo, const char *prompt, char **retstr) + line[nc] = '\0'; + } + *retstr = strdup(line); +- _pam_overwrite(line); ++ _pam_overwrite_n(line, sizeof(line)); + if (!*retstr) { + D(("no memory for response string")); + nc = -1; +@@ -244,7 +244,7 @@ static int read_string(int echo, const char *prompt, char **retstr) + D(("the timer appears to have expired")); + + *retstr = NULL; +- _pam_overwrite(line); ++ _pam_overwrite_n(line, sizeof(line)); + + cleanexit: + +diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c +index 80d885d..3801862 100644 +--- a/modules/pam_access/pam_access.c ++++ b/modules/pam_access/pam_access.c +@@ -806,7 +806,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED, + const char *user=NULL; + const void *void_from=NULL; + const char *from; +- const char const *default_config = PAM_ACCESS_CONFIG; ++ const char * const default_config = PAM_ACCESS_CONFIG; + struct passwd *user_pw; + char hostname[MAXHOSTNAMELEN + 1]; + int rv; +diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c +index 4bc4ae7..f8476b4 100644 +--- a/modules/pam_limits/pam_limits.c ++++ b/modules/pam_limits/pam_limits.c +@@ -342,7 +342,7 @@ static const char *lnames[RLIM_NLIMITS] = { + #endif + }; + +-static int str2rlimit(char *name) { ++static int str2rlimit(const char *name) { + int i; + if (!name || *name == '\0') + return -1; +@@ -352,7 +352,7 @@ static int str2rlimit(char *name) { + return -1; + } + +-static rlim_t str2rlim_t(char *value) { ++static rlim_t str2rlim_t(const char *value) { + unsigned long long rlimit = 0; + + if (!value) return (rlim_t)rlimit; +@@ -384,7 +384,7 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int + FILE *limitsfile; + const char *proclimits = "/proc/1/limits"; + char line[256]; +- char *units, *hard, *soft, *name; ++ const char *units, *hard, *soft, *name; + + if (!(limitsfile = fopen(proclimits, "r"))) { + pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno)); +diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c +index 96bfd98..66d202c 100644 +--- a/modules/pam_loginuid/pam_loginuid.c ++++ b/modules/pam_loginuid/pam_loginuid.c +@@ -64,7 +64,7 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid) + fd = open("/proc/self/uid_map", O_RDONLY); + if (fd >= 0) { + count = pam_modutil_read(fd, uid_map, sizeof(uid_map)); +- if (strncmp(uid_map, host_uid_map, count) != 0) ++ if (count <= 0 || strncmp(uid_map, host_uid_map, count) != 0) + rc = PAM_IGNORE; + close(fd); + } +diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c +index 9e204c1..4b8d6b7 100644 +--- a/modules/pam_mkhomedir/mkhomedir_helper.c ++++ b/modules/pam_mkhomedir/mkhomedir_helper.c +@@ -232,6 +232,8 @@ create_homedir(const struct passwd *pwd, + { + pam_syslog(NULL, LOG_DEBUG, + "unable to open or stat src file %s: %m", newsource); ++ if (srcfd >= 0) ++ close(srcfd); + closedir(d); + + #ifndef PATH_MAX +diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c +index f541f89..85f5efa 100644 +--- a/modules/pam_namespace/pam_namespace.c ++++ b/modules/pam_namespace/pam_namespace.c +@@ -1418,6 +1418,7 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat * + if (fstat(fd, &newstatbuf) < 0) { + pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m", + ipath); ++ close(fd); + rmdir(ipath); + return PAM_SESSION_ERR; + } +diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c +index e6cf346..813f579 100644 +--- a/modules/pam_pwhistory/opasswd.c ++++ b/modules/pam_pwhistory/opasswd.c +@@ -326,6 +326,9 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, + n = strlen (buf); + #endif /* HAVE_GETLINE / HAVE_GETDELIM */ + ++ if (n < 1) ++ break; ++ + cp = buf; + save = strdup (buf); /* Copy to write the original data back. */ + if (save == NULL) +@@ -336,9 +339,6 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid, + goto error_opasswd; + } + +- if (n < 1) +- break; +- + tmp = strchr (cp, '#'); /* remove comments */ + if (tmp) + *tmp = '\0'; +diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c +index 17baabe..a9d9140 100644 +--- a/modules/pam_rootok/pam_rootok.c ++++ b/modules/pam_rootok/pam_rootok.c +@@ -66,14 +66,17 @@ log_callback (int type, const char *fmt, ...) + int audit_fd; + va_list ap; + +- va_start(ap, fmt); + #ifdef HAVE_LIBAUDIT + audit_fd = audit_open(); + + if (audit_fd >= 0) { + char *buf; ++ int ret; + +- if (vasprintf (&buf, fmt, ap) < 0) ++ va_start(ap, fmt); ++ ret = vasprintf (&buf, fmt, ap) ++ va_end(ap); ++ if (ret < 0) + return 0; + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, + NULL, 0); +@@ -83,6 +86,7 @@ log_callback (int type, const char *fmt, ...) + } + + #endif ++ va_start(ap, fmt); + vsyslog (LOG_USER | LOG_INFO, fmt, ap); + va_end(ap); + return 0; +diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c +index c653290..f37af0f 100644 +--- a/modules/pam_sepermit/pam_sepermit.c ++++ b/modules/pam_sepermit/pam_sepermit.c +@@ -353,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user, + if (*sense == PAM_SUCCESS) { + if (ignore) + *sense = PAM_IGNORE; +- if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1) ++ if (geteuid() == 0 && exclusive && get_loginuid(pamh) == (uid_t)-1) + if (sepermit_lock(pamh, user, debug) < 0) + *sense = PAM_AUTH_ERR; + } diff --git a/pam.spec b/pam.spec index c0db7a4..482a555 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.3.1 -Release: 3%{?dist} +Release: 4%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -42,6 +42,7 @@ Patch29: pam-1.3.0-pwhistory-helper.patch Patch31: pam-1.1.8-audit-user-mgmt.patch Patch32: pam-1.2.1-console-devname.patch Patch33: pam-1.3.0-unix-nomsg.patch +Patch34: pam-1.3.1-coverity.patch %define _pamlibdir %{_libdir} %define _moduledir %{_libdir}/security @@ -123,6 +124,7 @@ cp %{SOURCE18} . %patch31 -p1 -b .audit-user-mgmt %patch32 -p1 -b .devname %patch33 -p1 -b .nomsg +%patch34 -p1 -b .coverity autoreconf -i %build @@ -366,6 +368,10 @@ done %doc doc/specs/rfc86.0.txt %changelog +* Mon Sep 10 2018 Tomáš Mráz 1.3.1-4 +- add pam_umask to postlogin PAM configuration file +- fix some issues found by Coverity scan + * Fri Jul 13 2018 Fedora Release Engineering - 1.3.1-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild diff --git a/password-auth.pamd b/password-auth.pamd index 2e01bf9..5de6f4d 100644 --- a/password-auth.pamd +++ b/password-auth.pamd @@ -1,6 +1,6 @@ #%PAM-1.0 # This file is auto-generated. -# User changes will be destroyed the next time authconfig is run. +# User changes will be destroyed the next time authselect is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so diff --git a/postlogin.pamd b/postlogin.pamd index e036f4e..2ce9af4 100644 --- a/postlogin.pamd +++ b/postlogin.pamd @@ -1,7 +1,8 @@ #%PAM-1.0 # This file is auto-generated. -# User changes will be destroyed the next time authconfig is run. +# User changes will be destroyed the next time authselect is run. -session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet -session [default=1] pam_lastlog.so nowtmp showfailed -session optional pam_lastlog.so silent noupdate showfailed +session optional pam_umask.so silent +session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet +session [default=1] pam_lastlog.so nowtmp showfailed +session optional pam_lastlog.so silent noupdate showfailed diff --git a/smartcard-auth.pamd b/smartcard-auth.pamd index e5b57e3..9572770 100644 --- a/smartcard-auth.pamd +++ b/smartcard-auth.pamd @@ -1,6 +1,6 @@ #%PAM-1.0 # This file is auto-generated. -# User changes will be destroyed the next time authconfig is run. +# User changes will be destroyed the next time authselect is run. auth required pam_env.so auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card auth required pam_deny.so diff --git a/system-auth.pamd b/system-auth.pamd index 2e01bf9..5de6f4d 100644 --- a/system-auth.pamd +++ b/system-auth.pamd @@ -1,6 +1,6 @@ #%PAM-1.0 # This file is auto-generated. -# User changes will be destroyed the next time authconfig is run. +# User changes will be destroyed the next time authselect is run. auth required pam_env.so auth sufficient pam_unix.so try_first_pass nullok auth required pam_deny.so