From 16cebfeb30a8bd7c7dc269190a054c25b0f8d044 Mon Sep 17 00:00:00 2001 From: ikerexxe Date: Tue, 15 Sep 2020 15:54:10 +0200 Subject: [PATCH 1/2] pam_motd: filter motd by user and group modules/pam_motd/pam_motd.c: filter motd by user and group owning the proper files. This is achieved by changing the ids of the process reading the files from root to the target user. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1861640 --- modules/pam_motd/pam_motd.c | 97 ++++++++++++++++++++++++++++--------- 1 file changed, 75 insertions(+), 22 deletions(-) diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c index 46f4fe61..a4fd0e59 100644 --- a/modules/pam_motd/pam_motd.c +++ b/modules/pam_motd/pam_motd.c @@ -282,6 +282,72 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh, _pam_drop(dirscans); } +static int drop_privileges(pam_handle_t *pamh, struct pam_modutil_privs *privs) +{ + struct passwd *pw; + const char *username; + int retval; + + retval = pam_get_user(pamh, &username, "key user"); + + if (retval == PAM_SUCCESS) { + pw = pam_modutil_getpwnam (pamh, username); + } else { + return PAM_SESSION_ERR; + } + + if (pw == NULL || pam_modutil_drop_priv(pamh, privs, pw)) { + return PAM_SESSION_ERR; + } + + return PAM_SUCCESS; +} + +static int try_to_display(pam_handle_t *pamh, char **motd_path_split, + unsigned int num_motd_paths, + char **motd_dir_path_split, + unsigned int num_motd_dir_paths, int report_missing) +{ + PAM_MODUTIL_DEF_PRIVS(privs); + + if (drop_privileges(pamh, &privs) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "Unable to drop privileges"); + return PAM_SESSION_ERR; + } + + if (motd_path_split != NULL) { + unsigned int i; + + for (i = 0; i < num_motd_paths; i++) { + int fd = open(motd_path_split[i], O_RDONLY, 0); + + if (fd >= 0) { + try_to_display_fd(pamh, fd); + close(fd); + + /* We found and displayed a file, + * move onto next filename. + */ + break; + } + } + } + + if (motd_dir_path_split != NULL) { + try_to_display_directories_with_overrides(pamh, + motd_dir_path_split, + num_motd_dir_paths, + report_missing); + } + + if (pam_modutil_regain_priv(pamh, &privs)) { + pam_syslog(pamh, LOG_ERR, "Unable to regain privileges"); + return PAM_SESSION_ERR; + } + + return PAM_SUCCESS; +} + int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { @@ -358,25 +424,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, } } - if (motd_path_split != NULL) { - unsigned int i; - - for (i = 0; i < num_motd_paths; i++) { - int fd = open(motd_path_split[i], O_RDONLY, 0); - - if (fd >= 0) { - try_to_display_fd(pamh, fd); - close(fd); - - /* We found and displayed a file, move onto next filename. */ - break; - } - } - } - - if (motd_dir_path_split != NULL) - try_to_display_directories_with_overrides(pamh, motd_dir_path_split, - num_motd_dir_paths, report_missing); + retval = try_to_display(pamh, motd_path_split, num_motd_paths, + motd_dir_path_split, num_motd_dir_paths, + report_missing); out: _pam_drop(motd_path_copy); @@ -384,9 +434,12 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags, _pam_drop(motd_dir_path_copy); _pam_drop(motd_dir_path_split); - retval = pam_putenv(pamh, "MOTD_SHOWN=pam"); - - return retval == PAM_SUCCESS ? PAM_IGNORE : retval; + if (retval == PAM_SUCCESS) { + retval = pam_putenv(pamh, "MOTD_SHOWN=pam"); + return retval == PAM_SUCCESS ? PAM_IGNORE : retval; + } else { + return retval; + } } /* end of module definition */ -- 2.26.2 From ad8b6feaf8ea989368676acaea905998a807986e Mon Sep 17 00:00:00 2001 From: ikerexxe Date: Wed, 14 Oct 2020 11:30:00 +0200 Subject: [PATCH 2/2] pam_motd: document file filtering modules/pam_motd/pam_motd.8.xml: document file filtering of motd messages. NEWS: annotate change. --- NEWS | 3 +++ modules/pam_motd/pam_motd.8.xml | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index e8c0de87..c3b338e2 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,8 @@ Linux-PAM NEWS -- history of user-visible changes. +Release 1.5.0 +* pam_motd: read motd files with target user credentials skipping unreadable ones. + Release 1.4.0 * Multiple minor bug fixes and documentation improvements * Fixed grammar of messages printed via pam_prompt diff --git a/modules/pam_motd/pam_motd.8.xml b/modules/pam_motd/pam_motd.8.xml index b533530b..0afd4c99 100644 --- a/modules/pam_motd/pam_motd.8.xml +++ b/modules/pam_motd/pam_motd.8.xml @@ -64,8 +64,9 @@ override files with the same name in /usr/lib/motd.d/. - Files the in the directories listed above are displayed in - lexicographic order by name. + Files in the directories listed above are displayed in lexicographic + order by name. Moreover, the files are filtered by reading them with the + credentials of the target user authenticating on the system. To silence a message, -- 2.26.2