Coverity fixes, pam_umask added to postlogin
add pam_umask to postlogin PAM configuration file fix some issues found by Coverity scan
This commit is contained in:
parent
dc7f2be86b
commit
786ce63f9d
@ -1,6 +1,6 @@
|
|||||||
#%PAM-1.0
|
#%PAM-1.0
|
||||||
# This file is auto-generated.
|
# This file is auto-generated.
|
||||||
# User changes will be destroyed the next time authconfig is run.
|
# User changes will be destroyed the next time authselect is run.
|
||||||
auth required pam_env.so
|
auth required pam_env.so
|
||||||
auth sufficient pam_fprintd.so
|
auth sufficient pam_fprintd.so
|
||||||
auth required pam_deny.so
|
auth required pam_deny.so
|
||||||
|
185
pam-1.3.1-coverity.patch
Normal file
185
pam-1.3.1-coverity.patch
Normal file
@ -0,0 +1,185 @@
|
|||||||
|
diff --git a/libpam/pam_handlers.c b/libpam/pam_handlers.c
|
||||||
|
index 106ef7c..b2e94c7 100644
|
||||||
|
--- a/libpam/pam_handlers.c
|
||||||
|
+++ b/libpam/pam_handlers.c
|
||||||
|
@@ -282,7 +282,6 @@ _pam_open_config_file(pam_handle_t *pamh
|
||||||
|
{
|
||||||
|
char *p;
|
||||||
|
FILE *f;
|
||||||
|
- int err = 0;
|
||||||
|
|
||||||
|
/* Absolute path */
|
||||||
|
if (service[0] == '/') {
|
||||||
|
diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
|
||||||
|
index be53f34..07dce36 100644
|
||||||
|
--- a/libpam_misc/misc_conv.c
|
||||||
|
+++ b/libpam_misc/misc_conv.c
|
||||||
|
@@ -211,7 +211,7 @@ static int read_string(int echo, const char *prompt, char **retstr)
|
||||||
|
line[nc] = '\0';
|
||||||
|
}
|
||||||
|
*retstr = strdup(line);
|
||||||
|
- _pam_overwrite(line);
|
||||||
|
+ _pam_overwrite_n(line, sizeof(line));
|
||||||
|
if (!*retstr) {
|
||||||
|
D(("no memory for response string"));
|
||||||
|
nc = -1;
|
||||||
|
@@ -244,7 +244,7 @@ static int read_string(int echo, const char *prompt, char **retstr)
|
||||||
|
D(("the timer appears to have expired"));
|
||||||
|
|
||||||
|
*retstr = NULL;
|
||||||
|
- _pam_overwrite(line);
|
||||||
|
+ _pam_overwrite_n(line, sizeof(line));
|
||||||
|
|
||||||
|
cleanexit:
|
||||||
|
|
||||||
|
diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
|
||||||
|
index 80d885d..3801862 100644
|
||||||
|
--- a/modules/pam_access/pam_access.c
|
||||||
|
+++ b/modules/pam_access/pam_access.c
|
||||||
|
@@ -806,7 +806,7 @@ pam_sm_authenticate (pam_handle_t *pamh, int flags UNUSED,
|
||||||
|
const char *user=NULL;
|
||||||
|
const void *void_from=NULL;
|
||||||
|
const char *from;
|
||||||
|
- const char const *default_config = PAM_ACCESS_CONFIG;
|
||||||
|
+ const char * const default_config = PAM_ACCESS_CONFIG;
|
||||||
|
struct passwd *user_pw;
|
||||||
|
char hostname[MAXHOSTNAMELEN + 1];
|
||||||
|
int rv;
|
||||||
|
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
|
||||||
|
index 4bc4ae7..f8476b4 100644
|
||||||
|
--- a/modules/pam_limits/pam_limits.c
|
||||||
|
+++ b/modules/pam_limits/pam_limits.c
|
||||||
|
@@ -342,7 +342,7 @@ static const char *lnames[RLIM_NLIMITS] = {
|
||||||
|
#endif
|
||||||
|
};
|
||||||
|
|
||||||
|
-static int str2rlimit(char *name) {
|
||||||
|
+static int str2rlimit(const char *name) {
|
||||||
|
int i;
|
||||||
|
if (!name || *name == '\0')
|
||||||
|
return -1;
|
||||||
|
@@ -352,7 +352,7 @@ static int str2rlimit(char *name) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static rlim_t str2rlim_t(char *value) {
|
||||||
|
+static rlim_t str2rlim_t(const char *value) {
|
||||||
|
unsigned long long rlimit = 0;
|
||||||
|
|
||||||
|
if (!value) return (rlim_t)rlimit;
|
||||||
|
@@ -384,7 +384,7 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int
|
||||||
|
FILE *limitsfile;
|
||||||
|
const char *proclimits = "/proc/1/limits";
|
||||||
|
char line[256];
|
||||||
|
- char *units, *hard, *soft, *name;
|
||||||
|
+ const char *units, *hard, *soft, *name;
|
||||||
|
|
||||||
|
if (!(limitsfile = fopen(proclimits, "r"))) {
|
||||||
|
pam_syslog(pamh, LOG_WARNING, "Could not read %s (%s), using PAM defaults", proclimits, strerror(errno));
|
||||||
|
diff --git a/modules/pam_loginuid/pam_loginuid.c b/modules/pam_loginuid/pam_loginuid.c
|
||||||
|
index 96bfd98..66d202c 100644
|
||||||
|
--- a/modules/pam_loginuid/pam_loginuid.c
|
||||||
|
+++ b/modules/pam_loginuid/pam_loginuid.c
|
||||||
|
@@ -64,7 +64,7 @@ static int set_loginuid(pam_handle_t *pamh, uid_t uid)
|
||||||
|
fd = open("/proc/self/uid_map", O_RDONLY);
|
||||||
|
if (fd >= 0) {
|
||||||
|
count = pam_modutil_read(fd, uid_map, sizeof(uid_map));
|
||||||
|
- if (strncmp(uid_map, host_uid_map, count) != 0)
|
||||||
|
+ if (count <= 0 || strncmp(uid_map, host_uid_map, count) != 0)
|
||||||
|
rc = PAM_IGNORE;
|
||||||
|
close(fd);
|
||||||
|
}
|
||||||
|
diff --git a/modules/pam_mkhomedir/mkhomedir_helper.c b/modules/pam_mkhomedir/mkhomedir_helper.c
|
||||||
|
index 9e204c1..4b8d6b7 100644
|
||||||
|
--- a/modules/pam_mkhomedir/mkhomedir_helper.c
|
||||||
|
+++ b/modules/pam_mkhomedir/mkhomedir_helper.c
|
||||||
|
@@ -232,6 +232,8 @@ create_homedir(const struct passwd *pwd,
|
||||||
|
{
|
||||||
|
pam_syslog(NULL, LOG_DEBUG,
|
||||||
|
"unable to open or stat src file %s: %m", newsource);
|
||||||
|
+ if (srcfd >= 0)
|
||||||
|
+ close(srcfd);
|
||||||
|
closedir(d);
|
||||||
|
|
||||||
|
#ifndef PATH_MAX
|
||||||
|
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
|
||||||
|
index f541f89..85f5efa 100644
|
||||||
|
--- a/modules/pam_namespace/pam_namespace.c
|
||||||
|
+++ b/modules/pam_namespace/pam_namespace.c
|
||||||
|
@@ -1418,6 +1418,7 @@ static int create_instance(struct polydir_s *polyptr, char *ipath, struct stat *
|
||||||
|
if (fstat(fd, &newstatbuf) < 0) {
|
||||||
|
pam_syslog(idata->pamh, LOG_ERR, "Error stating %s, %m",
|
||||||
|
ipath);
|
||||||
|
+ close(fd);
|
||||||
|
rmdir(ipath);
|
||||||
|
return PAM_SESSION_ERR;
|
||||||
|
}
|
||||||
|
diff --git a/modules/pam_pwhistory/opasswd.c b/modules/pam_pwhistory/opasswd.c
|
||||||
|
index e6cf346..813f579 100644
|
||||||
|
--- a/modules/pam_pwhistory/opasswd.c
|
||||||
|
+++ b/modules/pam_pwhistory/opasswd.c
|
||||||
|
@@ -326,6 +326,9 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
||||||
|
n = strlen (buf);
|
||||||
|
#endif /* HAVE_GETLINE / HAVE_GETDELIM */
|
||||||
|
|
||||||
|
+ if (n < 1)
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
cp = buf;
|
||||||
|
save = strdup (buf); /* Copy to write the original data back. */
|
||||||
|
if (save == NULL)
|
||||||
|
@@ -336,9 +339,6 @@ save_old_pass (pam_handle_t *pamh, const char *user, uid_t uid,
|
||||||
|
goto error_opasswd;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (n < 1)
|
||||||
|
- break;
|
||||||
|
-
|
||||||
|
tmp = strchr (cp, '#'); /* remove comments */
|
||||||
|
if (tmp)
|
||||||
|
*tmp = '\0';
|
||||||
|
diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c
|
||||||
|
index 17baabe..a9d9140 100644
|
||||||
|
--- a/modules/pam_rootok/pam_rootok.c
|
||||||
|
+++ b/modules/pam_rootok/pam_rootok.c
|
||||||
|
@@ -66,14 +66,17 @@ log_callback (int type, const char *fmt, ...)
|
||||||
|
int audit_fd;
|
||||||
|
va_list ap;
|
||||||
|
|
||||||
|
- va_start(ap, fmt);
|
||||||
|
#ifdef HAVE_LIBAUDIT
|
||||||
|
audit_fd = audit_open();
|
||||||
|
|
||||||
|
if (audit_fd >= 0) {
|
||||||
|
char *buf;
|
||||||
|
+ int ret;
|
||||||
|
|
||||||
|
- if (vasprintf (&buf, fmt, ap) < 0)
|
||||||
|
+ va_start(ap, fmt);
|
||||||
|
+ ret = vasprintf (&buf, fmt, ap)
|
||||||
|
+ va_end(ap);
|
||||||
|
+ if (ret < 0)
|
||||||
|
return 0;
|
||||||
|
audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
||||||
|
NULL, 0);
|
||||||
|
@@ -83,6 +86,7 @@ log_callback (int type, const char *fmt, ...)
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif
|
||||||
|
+ va_start(ap, fmt);
|
||||||
|
vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
||||||
|
va_end(ap);
|
||||||
|
return 0;
|
||||||
|
diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
|
||||||
|
index c653290..f37af0f 100644
|
||||||
|
--- a/modules/pam_sepermit/pam_sepermit.c
|
||||||
|
+++ b/modules/pam_sepermit/pam_sepermit.c
|
||||||
|
@@ -353,7 +353,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
|
||||||
|
if (*sense == PAM_SUCCESS) {
|
||||||
|
if (ignore)
|
||||||
|
*sense = PAM_IGNORE;
|
||||||
|
- if (geteuid() == 0 && exclusive && get_loginuid(pamh) == -1)
|
||||||
|
+ if (geteuid() == 0 && exclusive && get_loginuid(pamh) == (uid_t)-1)
|
||||||
|
if (sepermit_lock(pamh, user, debug) < 0)
|
||||||
|
*sense = PAM_AUTH_ERR;
|
||||||
|
}
|
8
pam.spec
8
pam.spec
@ -3,7 +3,7 @@
|
|||||||
Summary: An extensible library which provides authentication for applications
|
Summary: An extensible library which provides authentication for applications
|
||||||
Name: pam
|
Name: pam
|
||||||
Version: 1.3.1
|
Version: 1.3.1
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
# The library is BSD licensed with option to relicense as GPLv2+
|
# The library is BSD licensed with option to relicense as GPLv2+
|
||||||
# - this option is redundant as the BSD license allows that anyway.
|
# - this option is redundant as the BSD license allows that anyway.
|
||||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||||
@ -42,6 +42,7 @@ Patch29: pam-1.3.0-pwhistory-helper.patch
|
|||||||
Patch31: pam-1.1.8-audit-user-mgmt.patch
|
Patch31: pam-1.1.8-audit-user-mgmt.patch
|
||||||
Patch32: pam-1.2.1-console-devname.patch
|
Patch32: pam-1.2.1-console-devname.patch
|
||||||
Patch33: pam-1.3.0-unix-nomsg.patch
|
Patch33: pam-1.3.0-unix-nomsg.patch
|
||||||
|
Patch34: pam-1.3.1-coverity.patch
|
||||||
|
|
||||||
%define _pamlibdir %{_libdir}
|
%define _pamlibdir %{_libdir}
|
||||||
%define _moduledir %{_libdir}/security
|
%define _moduledir %{_libdir}/security
|
||||||
@ -123,6 +124,7 @@ cp %{SOURCE18} .
|
|||||||
%patch31 -p1 -b .audit-user-mgmt
|
%patch31 -p1 -b .audit-user-mgmt
|
||||||
%patch32 -p1 -b .devname
|
%patch32 -p1 -b .devname
|
||||||
%patch33 -p1 -b .nomsg
|
%patch33 -p1 -b .nomsg
|
||||||
|
%patch34 -p1 -b .coverity
|
||||||
autoreconf -i
|
autoreconf -i
|
||||||
|
|
||||||
%build
|
%build
|
||||||
@ -366,6 +368,10 @@ done
|
|||||||
%doc doc/specs/rfc86.0.txt
|
%doc doc/specs/rfc86.0.txt
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Sep 10 2018 Tomáš Mráz <tmraz@redhat.com> 1.3.1-4
|
||||||
|
- add pam_umask to postlogin PAM configuration file
|
||||||
|
- fix some issues found by Coverity scan
|
||||||
|
|
||||||
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-3
|
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.3.1-3
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
|
||||||
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#%PAM-1.0
|
#%PAM-1.0
|
||||||
# This file is auto-generated.
|
# This file is auto-generated.
|
||||||
# User changes will be destroyed the next time authconfig is run.
|
# User changes will be destroyed the next time authselect is run.
|
||||||
auth required pam_env.so
|
auth required pam_env.so
|
||||||
auth sufficient pam_unix.so try_first_pass nullok
|
auth sufficient pam_unix.so try_first_pass nullok
|
||||||
auth required pam_deny.so
|
auth required pam_deny.so
|
||||||
|
@ -1,7 +1,8 @@
|
|||||||
#%PAM-1.0
|
#%PAM-1.0
|
||||||
# This file is auto-generated.
|
# This file is auto-generated.
|
||||||
# User changes will be destroyed the next time authconfig is run.
|
# User changes will be destroyed the next time authselect is run.
|
||||||
|
|
||||||
|
session optional pam_umask.so silent
|
||||||
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
|
||||||
session [default=1] pam_lastlog.so nowtmp showfailed
|
session [default=1] pam_lastlog.so nowtmp showfailed
|
||||||
session optional pam_lastlog.so silent noupdate showfailed
|
session optional pam_lastlog.so silent noupdate showfailed
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#%PAM-1.0
|
#%PAM-1.0
|
||||||
# This file is auto-generated.
|
# This file is auto-generated.
|
||||||
# User changes will be destroyed the next time authconfig is run.
|
# User changes will be destroyed the next time authselect is run.
|
||||||
auth required pam_env.so
|
auth required pam_env.so
|
||||||
auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
|
auth [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card
|
||||||
auth required pam_deny.so
|
auth required pam_deny.so
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
#%PAM-1.0
|
#%PAM-1.0
|
||||||
# This file is auto-generated.
|
# This file is auto-generated.
|
||||||
# User changes will be destroyed the next time authconfig is run.
|
# User changes will be destroyed the next time authselect is run.
|
||||||
auth required pam_env.so
|
auth required pam_env.so
|
||||||
auth sufficient pam_unix.so try_first_pass nullok
|
auth sufficient pam_unix.so try_first_pass nullok
|
||||||
auth required pam_deny.so
|
auth required pam_deny.so
|
||||||
|
Loading…
Reference in New Issue
Block a user