rpms/pam
5
0
Fork 0
Code Issues Pull Requests Releases Activity

pam_unix and pam_usertype: avoid determining if user exists

Browse Source
This commit is contained in:
ipedrosa 2020-06-17 16:04:16 +02:00
parent 9d21ac175c
commit 7d1e156168
2 changed files with 89 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

82
pam-1.3.1-determinine-user-exists.patch Normal file
View File

@ -0,0 +1,82 @@
diff -up Linux-PAM-1.3.1/modules/pam_unix/passverify.c.determinine-user-exists Linux-PAM-1.3.1/modules/pam_unix/passverify.c
--- Linux-PAM-1.3.1/modules/pam_unix/passverify.c.determinine-user-exists 2020-06-17 15:34:08.089162532 +0200
+++ Linux-PAM-1.3.1/modules/pam_unix/passverify.c 2020-06-17 15:36:13.233294407 +0200
@@ -1087,6 +1087,12 @@ helper_verify_password(const char *name,
if (pwd == NULL || salt == NULL) {
helper_log_err(LOG_NOTICE, "check pass; user unknown");
retval = PAM_USER_UNKNOWN;
+ } else if (p[0] == '\0' && nullok) {
+ if (salt[0] == '\0') {
+ retval = PAM_SUCCESS;
+ } else {
+ retval = PAM_AUTH_ERR;
+ }
} else {
retval = verify_pwd_hash(p, salt, nullok);
}
diff -up Linux-PAM-1.3.1/modules/pam_unix/support.c.determinine-user-exists Linux-PAM-1.3.1/modules/pam_unix/support.c
--- Linux-PAM-1.3.1/modules/pam_unix/support.c.determinine-user-exists 2020-06-17 15:34:08.090162549 +0200
+++ Linux-PAM-1.3.1/modules/pam_unix/support.c 2020-06-17 15:34:08.101162736 +0200
@@ -672,6 +672,8 @@ _unix_blankpasswd (pam_handle_t *pamh, u
struct passwd *pwd = NULL;
char *salt = NULL;
int retval;
+ int execloop = 1;
+ int nonexistent = 1;
D(("called"));
@@ -686,14 +688,31 @@ _unix_blankpasswd (pam_handle_t *pamh, u
/* UNIX passwords area */
- retval = get_pwd_hash(pamh, name, &pwd, &salt);
+ /*
+ * Execute this loop twice: one checking the password hash of an existing
+ * user and another one for a non-existing user. This way the runtimes
+ * are equal, making it more difficult to differentiate existing from
+ * non-existing users.
+ */
+ while (execloop) {
+ retval = get_pwd_hash(pamh, name, &pwd, &salt);
- if (retval == PAM_UNIX_RUN_HELPER) {
- /* salt will not be set here so we can return immediately */
- if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS)
- return 1;
- else
- return 0;
+ if (retval == PAM_UNIX_RUN_HELPER) {
+ execloop = 0;
+ if(nonexistent) {
+ get_pwd_hash(pamh, "pam_unix_non_existent:", &pwd, &salt);
+ }
+ /* salt will not be set here so we can return immediately */
+ if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS)
+ return 1;
+ else
+ return 0;
+ } else if (retval == PAM_USER_UNKNOWN) {
+ name = "root";
+ nonexistent = 0;
+ } else {
+ execloop = 0;
+ }
}
/* Does this user have a password? */
diff -up Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c.determinine-user-exists Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c
--- Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c.determinine-user-exists 2020-06-17 15:34:08.098162685 +0200
+++ Linux-PAM-1.3.1/modules/pam_usertype/pam_usertype.c 2020-06-17 15:34:08.101162736 +0200
@@ -236,8 +236,11 @@ pam_usertype_get_uid(struct pam_usertype
"error retrieving information about user %s", username);
}
+ pam_modutil_getpwnam(pamh, "root");
+
return PAM_USER_UNKNOWN;
}
+ pam_modutil_getpwnam(pamh, "pam_usertype_non_existent:");
*_uid = pwd->pw_uid;

8
pam.spec
View File

@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications Summary: An extensible library which provides authentication for applications
Name: pam Name: pam
Version: 1.3.1 Version: 1.3.1
Release: 26%{?dist} Release: 27%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+ # The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway. # - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -67,6 +67,8 @@ Patch54: pam-1.3.1-pam_selinux-check-unknown-objects.patch
Patch55: pam-1.3.1-audit-error.patch Patch55: pam-1.3.1-audit-error.patch
# Upstreamed # Upstreamed
Patch56: pam-1.3.1-pam-modutil-close-write.patch Patch56: pam-1.3.1-pam-modutil-close-write.patch
# Upstreamed
Patch57: pam-1.3.1-determinine-user-exists.patch
%global _pamlibdir %{_libdir} %global _pamlibdir %{_libdir}
%global _moduledir %{_libdir}/security %global _moduledir %{_libdir}/security
@ -173,6 +175,7 @@ cp %{SOURCE18} .
%patch54 -p1 -b .pam_selinux-check-unknown-objects %patch54 -p1 -b .pam_selinux-check-unknown-objects
%patch55 -p1 -b .audit-error %patch55 -p1 -b .audit-error
%patch56 -p1 -b .pam-modutil-close-write %patch56 -p1 -b .pam-modutil-close-write
%patch57 -p1 -b .determinine-user-exists
autoreconf -i autoreconf -i
@ -425,6 +428,9 @@ done
%doc doc/sag/*.txt doc/sag/html %doc doc/sag/*.txt doc/sag/html
%changelog %changelog
* Wed Jun 17 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-27
- pam_unix and pam_usertype: avoid determining if user exists (#1629598)
* Thu May 14 2020 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-26 * Thu May 14 2020 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-26
- pam_tty_audit: if kernel audit is disabled return PAM_IGNORE (#1775357) - pam_tty_audit: if kernel audit is disabled return PAM_IGNORE (#1775357)
- pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of PAM_MODUTIL_PIPE_FD (#1791970) - pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of PAM_MODUTIL_PIPE_FD (#1791970)