- pam_motd: read motd files with target user credentials skipping unreadable ones (#1861640)

- Clarify upstreamed patches
This commit is contained in:
ipedrosa 2020-10-14 15:01:34 +02:00
parent 8f7e444c74
commit 767f761a2d
2 changed files with 202 additions and 2 deletions

View File

@ -0,0 +1,186 @@
From 16cebfeb30a8bd7c7dc269190a054c25b0f8d044 Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Tue, 15 Sep 2020 15:54:10 +0200
Subject: [PATCH 1/2] pam_motd: filter motd by user and group
modules/pam_motd/pam_motd.c: filter motd by user and group owning the
proper files. This is achieved by changing the ids of the process
reading the files from root to the target user.
Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=1861640
---
modules/pam_motd/pam_motd.c | 97 ++++++++++++++++++++++++++++---------
1 file changed, 75 insertions(+), 22 deletions(-)
diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
index 46f4fe61..a4fd0e59 100644
--- a/modules/pam_motd/pam_motd.c
+++ b/modules/pam_motd/pam_motd.c
@@ -282,6 +282,72 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
_pam_drop(dirscans);
}
+static int drop_privileges(pam_handle_t *pamh, struct pam_modutil_privs *privs)
+{
+ struct passwd *pw;
+ const char *username;
+ int retval;
+
+ retval = pam_get_user(pamh, &username, "key user");
+
+ if (retval == PAM_SUCCESS) {
+ pw = pam_modutil_getpwnam (pamh, username);
+ } else {
+ return PAM_SESSION_ERR;
+ }
+
+ if (pw == NULL || pam_modutil_drop_priv(pamh, privs, pw)) {
+ return PAM_SESSION_ERR;
+ }
+
+ return PAM_SUCCESS;
+}
+
+static int try_to_display(pam_handle_t *pamh, char **motd_path_split,
+ unsigned int num_motd_paths,
+ char **motd_dir_path_split,
+ unsigned int num_motd_dir_paths, int report_missing)
+{
+ PAM_MODUTIL_DEF_PRIVS(privs);
+
+ if (drop_privileges(pamh, &privs) != PAM_SUCCESS) {
+ pam_syslog(pamh, LOG_ERR, "Unable to drop privileges");
+ return PAM_SESSION_ERR;
+ }
+
+ if (motd_path_split != NULL) {
+ unsigned int i;
+
+ for (i = 0; i < num_motd_paths; i++) {
+ int fd = open(motd_path_split[i], O_RDONLY, 0);
+
+ if (fd >= 0) {
+ try_to_display_fd(pamh, fd);
+ close(fd);
+
+ /* We found and displayed a file,
+ * move onto next filename.
+ */
+ break;
+ }
+ }
+ }
+
+ if (motd_dir_path_split != NULL) {
+ try_to_display_directories_with_overrides(pamh,
+ motd_dir_path_split,
+ num_motd_dir_paths,
+ report_missing);
+ }
+
+ if (pam_modutil_regain_priv(pamh, &privs)) {
+ pam_syslog(pamh, LOG_ERR, "Unable to regain privileges");
+ return PAM_SESSION_ERR;
+ }
+
+ return PAM_SUCCESS;
+}
+
int pam_sm_open_session(pam_handle_t *pamh, int flags,
int argc, const char **argv)
{
@@ -358,25 +424,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
}
}
- if (motd_path_split != NULL) {
- unsigned int i;
-
- for (i = 0; i < num_motd_paths; i++) {
- int fd = open(motd_path_split[i], O_RDONLY, 0);
-
- if (fd >= 0) {
- try_to_display_fd(pamh, fd);
- close(fd);
-
- /* We found and displayed a file, move onto next filename. */
- break;
- }
- }
- }
-
- if (motd_dir_path_split != NULL)
- try_to_display_directories_with_overrides(pamh, motd_dir_path_split,
- num_motd_dir_paths, report_missing);
+ retval = try_to_display(pamh, motd_path_split, num_motd_paths,
+ motd_dir_path_split, num_motd_dir_paths,
+ report_missing);
out:
_pam_drop(motd_path_copy);
@@ -384,9 +434,12 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
_pam_drop(motd_dir_path_copy);
_pam_drop(motd_dir_path_split);
- retval = pam_putenv(pamh, "MOTD_SHOWN=pam");
-
- return retval == PAM_SUCCESS ? PAM_IGNORE : retval;
+ if (retval == PAM_SUCCESS) {
+ retval = pam_putenv(pamh, "MOTD_SHOWN=pam");
+ return retval == PAM_SUCCESS ? PAM_IGNORE : retval;
+ } else {
+ return retval;
+ }
}
/* end of module definition */
--
2.26.2
From ad8b6feaf8ea989368676acaea905998a807986e Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Wed, 14 Oct 2020 11:30:00 +0200
Subject: [PATCH 2/2] pam_motd: document file filtering
modules/pam_motd/pam_motd.8.xml: document file filtering of motd
messages.
NEWS: annotate change.
---
NEWS | 3 +++
modules/pam_motd/pam_motd.8.xml | 5 +++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/NEWS b/NEWS
index e8c0de87..c3b338e2 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,8 @@
Linux-PAM NEWS -- history of user-visible changes.
+Release 1.5.0
+* pam_motd: read motd files with target user credentials skipping unreadable ones.
+
Release 1.4.0
* Multiple minor bug fixes and documentation improvements
* Fixed grammar of messages printed via pam_prompt
diff --git a/modules/pam_motd/pam_motd.8.xml b/modules/pam_motd/pam_motd.8.xml
index b533530b..0afd4c99 100644
--- a/modules/pam_motd/pam_motd.8.xml
+++ b/modules/pam_motd/pam_motd.8.xml
@@ -64,8 +64,9 @@
override files with the same name in <filename>/usr/lib/motd.d/</filename>.
</para>
<para>
- Files the in the directories listed above are displayed in
- lexicographic order by name.
+ Files in the directories listed above are displayed in lexicographic
+ order by name. Moreover, the files are filtered by reading them with the
+ credentials of the target user authenticating on the system.
</para>
<para>
To silence a message,
--
2.26.2

View File

@ -3,7 +3,7 @@
Summary: An extensible library which provides authentication for applications
Name: pam
Version: 1.4.0
Release: 4%{?dist}
Release: 5%{?dist}
# The library is BSD licensed with option to relicense as GPLv2+
# - this option is redundant as the BSD license allows that anyway.
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -26,19 +26,28 @@ Source17: postlogin.5
Source18: https://www.gnu.org/licenses/old-licenses/gpl-2.0.txt
Patch1: pam-1.4.0-redhat-modules.patch
Patch9: pam-1.4.0-noflex.patch
# https://github.com/linux-pam/linux-pam/commit/cbdef051ab5d4031656d14ac6cdb1f6c2d8d6595
Patch10: pam-1.4.0-nouserenv.patch
# https://github.com/linux-pam/linux-pam/commit/adc037167ad293242d9c69c4d427da1001f26706
Patch13: pam-1.1.6-limits-user.patch
Patch15: pam-1.4.0-full-relro.patch
# Upstreamed partially
# https://github.com/linux-pam/linux-pam/commit/f787845843da96cc29ea1f864e29fb17379b36b7
Patch29: pam-1.4.0-pwhistory-helper.patch
Patch31: pam-1.1.8-audit-user-mgmt.patch
Patch33: pam-1.3.0-unix-nomsg.patch
# https://github.com/linux-pam/linux-pam/commit/655b5e3cf32cb2bd6606cb8ab696b8f00f87051e
# https://github.com/linux-pam/linux-pam/commit/a6a1b9f788a79b2a09827c72a755f471c2e05100
# https://github.com/linux-pam/linux-pam/commit/2bae5daf16d4466185fac89539d653b269a3ea01
# https://github.com/linux-pam/linux-pam/commit/276ad5b8e48aa77c24ef25e18d2e97f66c83d68c
Patch34: pam-1.4.0-coverity.patch
# https://github.com/linux-pam/linux-pam/commit/af0faf666c5008e54dfe43684f210e3581ff1bca
# https://github.com/linux-pam/linux-pam/commit/0e9b286afe1224b91ff00936058b084ad4b776e4
Patch57: pam-1.4.0-determine-user-exists.patch
# https://github.com/linux-pam/linux-pam/commit/395915dae1571e10e2766c999974de864655ea3a
Patch58: pam-1.3.1-faillock-change-file-permissions.patch
# https://github.com/linux-pam/linux-pam/commit/16cebfeb30a8bd7c7dc269190a054c25b0f8d044
# https://github.com/linux-pam/linux-pam/commit/ad8b6feaf8ea989368676acaea905998a807986e
Patch59: pam-1.4.0-motd-filter-files.patch
%global _pamlibdir %{_libdir}
%global _moduledir %{_libdir}/security
@ -129,6 +138,7 @@ cp %{SOURCE18} .
%patch34 -p1 -b .coverity
%patch57 -p1 -b .determine-user-exists
%patch58 -p1 -b .faillock-change-file-permissions
%patch59 -p1 -b .motd-filter-files
autoreconf -i
@ -388,6 +398,10 @@ done
%doc doc/sag/*.txt doc/sag/html
%changelog
* Wed Oct 14 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-5
- pam_motd: read motd files with target user credentials skipping unreadable ones (#1861640)
- Clarify upstreamed patches
* Tue Aug 04 2020 Tom Stellard <tstellar@redhat.com> - 1.4.0-4
- Add BuildRequires: gcc
- https://docs.fedoraproject.org/en-US/packaging-guidelines/C_and_C++/#_packaging