pam_access: rework resolving of tokens as hostname

Resolves: CVE-2024-10963 and RHEL-66244 Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
2024-11-21 09:45:04 +01:00 · 2024-11-21 09:45:04 +01:00 · d6bedec47c
commit d6bedec47c
parent 67bc312e7e
2 changed files with 228 additions and 1 deletions
--- a/pam-1.5.1-pam-access-resolve-ip.patch
+++ b/pam-1.5.1-pam-access-resolve-ip.patch
@ -0,0 +1,220 @@
 diff -up Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml.pam-access-resolve-ip Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml
 --- Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml.pam-access-resolve-ip	2024-11-21 09:37:12.440595194 +0100
 +++ Linux-PAM-1.5.1/modules/pam_access/access.conf.5.xml	2024-11-21 09:39:18.568949578 +0100
@@ -221,6 +221,14 @@
       item and the line will be most probably ignored. For this reason, it is not
       recommended to put spaces around the ':' characters.
     </para>
 +    <para>
 +      An IPv6 link local host address must contain the interface
 +      identifier. IPv6 link local network/netmask is not supported.
 +    </para>
 +    <para>
 +      Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid
 +      confusion with device names or PAM service names.
 +    </para>
   </refsect1>
   <refsect1 id="access.conf-see_also">
 diff -up Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml.pam-access-resolve-ip Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml
 --- Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml.pam-access-resolve-ip	2024-11-21 09:37:12.440595194 +0100
 +++ Linux-PAM-1.5.1/modules/pam_access/pam_access.8.xml	2024-11-21 09:40:00.100066246 +0100
@@ -25,11 +25,14 @@
       <arg choice="opt">
         debug
       </arg>
 +      <arg choice="opt" rep="norepeat">
 +        noaudit
 +      </arg>
       <arg choice="opt">
         nodefgroup
       </arg>
 -      <arg choice="opt">
 -        noaudit
 +      <arg choice="opt" rep="norepeat">
 +        nodns
       </arg>
       <arg choice="opt">
         accessfile=<replaceable>file</replaceable>
@@ -114,7 +117,46 @@
       <varlistentry>
         <term>
 -          <option>fieldsep=<replaceable>separators</replaceable></option>
 +          nodefgroup
 +        </term>
 +        <listitem>
 +          <para>
 +            User tokens which are not enclosed in parentheses will not be
 +	    matched against the group database. The backwards compatible default is
 +            to try the group database match even for tokens not enclosed
 +            in parentheses.
 +          </para>
 +        </listitem>
 +      </varlistentry>
 +
 +      <varlistentry>
 +        <term>
 +          nodns
 +        </term>
 +        <listitem>
 +          <para>
 +	    Do not try to resolve tokens as hostnames, only IPv4 and IPv6
 +	    addresses will be resolved. Which means to allow login from a
 +	    remote host, the IP addresses need to be specified in <filename>access.conf</filename>.
 +          </para>
 +        </listitem>
 +      </varlistentry>
 +
 +      <varlistentry>
 +        <term>
 +          quiet_log
 +        </term>
 +        <listitem>
 +          <para>
 +            Do not log denials with
 +            <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
 +          </para>
 +        </listitem>
 +      </varlistentry>
 +
 +      <varlistentry>
 +        <term>
 +          fieldsep=separators
         </term>
         <listitem>
           <para>
@@ -152,20 +194,6 @@
           </para>
         </listitem>
       </varlistentry>
 -
 -      <varlistentry>
 -        <term>
 -          <option>nodefgroup</option>
 -        </term>
 -        <listitem>
 -          <para>
 -            User tokens which are not enclosed in parentheses will not be
 -	    matched against the group database. The backwards compatible default is
 -            to try the group database match even for tokens not enclosed
 -            in parentheses.
 -          </para>
 -        </listitem>
 -      </varlistentry>
     </variablelist>
   </refsect1>
 diff -up Linux-PAM-1.5.1/modules/pam_access/pam_access.c.pam-access-resolve-ip Linux-PAM-1.5.1/modules/pam_access/pam_access.c
 --- Linux-PAM-1.5.1/modules/pam_access/pam_access.c.pam-access-resolve-ip	2024-11-21 09:37:12.439595191 +0100
 +++ Linux-PAM-1.5.1/modules/pam_access/pam_access.c	2024-11-21 09:40:13.231103128 +0100
@@ -92,6 +92,7 @@ struct login_info {
     int debug;				/* Print debugging messages. */
     int only_new_group_syntax;		/* Only allow group entries of the form "(xyz)" */
     int noaudit;			/* Do not audit denials */
 +    int nodns;                          /* Do not try to resolve tokens as hostnames */
     const char *fs;			/* field separator */
     const char *sep;			/* list-element separator */
     int from_remote_host;               /* If PAM_RHOST was used for from */
@@ -143,6 +144,8 @@ parse_args(pam_handle_t *pamh, struct lo
 	    loginfo->only_new_group_syntax = YES;
 	} else if (strcmp (argv[i], "noaudit") == 0) {
 	    loginfo->noaudit = YES;
 +	} else if (strcmp (argv[i], "nodns") == 0) {
 +	    loginfo->nodns = YES;
 	} else {
 	    pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]);
 	}
@@ -663,7 +666,7 @@ remote_match (pam_handle_t *pamh, char *
       if ((str_len = strlen(string)) > tok_len
 	  && strcasecmp(tok, string + str_len - tok_len) == 0)
 	return YES;
 -    } else if (tok[tok_len - 1] == '.') {
 +    } else if (tok[tok_len - 1] == '.') {       /* internet network numbers/subnet (end with ".") */
       struct addrinfo hint;
       memset (&hint, '\0', sizeof (hint));
@@ -738,6 +741,39 @@ string_match (pam_handle_t *pamh, const
 }
 +static int
 +is_device (pam_handle_t *pamh, const char *tok)
 +{
 +  struct stat st;
 +  const char *dev = "/dev/";
 +  char *devname;
 +
 +  devname = malloc (strlen(dev) + strlen (tok) + 1);
 +  if (devname == NULL) {
 +      pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m");
 +      /*
 +       * We should return an error and abort, but pam_access has no good
 +       * error handling.
 +       */
 +      return NO;
 +  }
 +
 +  char *cp = stpcpy (devname, dev);
 +  strcpy (cp, tok);
 +
 +  if (lstat(devname, &st) != 0)
 +    {
 +      free (devname);
 +      return NO;
 +    }
 +  free (devname);
 +
 +  if (S_ISCHR(st.st_mode))
 +    return YES;
 +
 +  return NO;
 +}
 +
 /* network_netmask_match - match a string against one token
  * where string is a hostname or ip (v4,v6) address and tok
  * represents either a hostname, a single ip (v4,v6) address
@@ -799,10 +835,42 @@ network_netmask_match (pam_handle_t *pam
 	    return NO;
 	  }
       }
 +    else if (isipaddr(tok, NULL, NULL) == YES)
 +      {
 +	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
 +	  {
 +	    if (item->debug)
 +	      pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok);
 +
 +	    return NO;
 +	  }
 +	netmask_ptr = NULL;
 +      }
 +    else if (item->nodns)
 +      {
 +	/* Only hostnames are left, which we would need to resolve via DNS */
 +	return NO;
 +      }
     else
       {
 +	/* Bail out on X11 Display entries and ttys. */
 +	if (tok[0] == ':')
 +	  {
 +	    if (item->debug)
 +	      pam_syslog (pamh, LOG_DEBUG,
 +			  "network_netmask_match: tok=%s is X11 display", tok);
 +	    return NO;
 +	  }
 +	if (is_device (pamh, tok))
 +	  {
 +	    if (item->debug)
 +	      pam_syslog (pamh, LOG_DEBUG,
 +			  "network_netmask_match: tok=%s is a TTY", tok);
 +	    return NO;
 +	  }
 +
         /*
 -	 * It is either an IP address or a hostname.
 +	 * It is most likely a hostname.
 	 * Let getaddrinfo sort everything out
 	 */
 	if (getaddrinfo (tok, NULL, NULL, &ai) != 0)
--- a/pam.spec
+++ b/pam.spec
@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.5.1
-Release: 22%{?dist}
+Release: 23%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -73,6 +73,8 @@ Patch22: pam-1.5.1-pam-unix-shadow-password.patch
 # https://github.com/linux-pam/linux-pam/commit/08992030c56c940c0707ccbc442b1c325aa01e6d
 # https://github.com/linux-pam/linux-pam/commit/641dfd1084508c63f3590e93a35b80ffc50774e5
 Patch23: pam-1.5.1-pam-access-local.patch
 # https://github.com/linux-pam/linux-pam/commit/940747f88c16e029b69a74e80a2e94f65cb3e628
 Patch24: pam-1.5.1-pam-access-resolve-ip.patch
 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@ -178,6 +180,7 @@ cp %{SOURCE18} .
 %patch21 -p1 -b .libpam-support-long-lines
 %patch22 -p1 -b .pam-unix-shadow-password
 %patch23 -p1 -b .pam-access-local
 %patch24 -p1 -b .pam-access-resolve-ip
 autoreconf -i
@ -433,6 +436,10 @@ done
 %doc doc/sag/*.txt doc/sag/html
 %changelog
 * Thu Nov 21 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-23
 - pam_access: rework resolving of tokens as hostname.
  Resolves: CVE-2024-10963 and RHEL-66244
 * Mon Nov  4 2024 Iker Pedrosa <ipedrosa@redhat.com> - 1.5.1-22
 - pam_unix: always run the helper to obtain shadow password file entries.
  CVE-2024-10041. Resolves: RHEL-62879