pam_tty_audit: if kernel audit is disabled return PAM_IGNORE

pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of PAM_MODUTIL_PIPE_FD
2020-05-14 13:17:06 +02:00 · 2020-05-14 13:17:06 +02:00 · 9d21ac175c
parent 403090086b
commit 9d21ac175c
3 changed files with 120 additions and 1 deletions
--- a/pam-1.3.1-audit-error.patch
+++ b/pam-1.3.1-audit-error.patch
@ -0,0 +1,35 @@
+From b429ea18b1c9c8953df5169c6a453b4255a6f23d Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ikerpedrosam@gmail.com>
+Date: Thu, 27 Feb 2020 11:48:47 +0100
+Subject: [PATCH] pam_tty_audit: if kernel audit is disabled return PAM_IGNORE
+
+If kernel audit is disabled the socket open will return
+EPROTONOSUPPORT.
+Return PAM_IGNORE from pam_tty_audit and log a warning
+in this situation so login is not blocked by the module.
+---
+ modules/pam_tty_audit/pam_tty_audit.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/modules/pam_tty_audit/pam_tty_audit.c b/modules/pam_tty_audit/pam_tty_audit.c
+index 7dbcada2..589c60a2 100644
+--- a/modules/pam_tty_audit/pam_tty_audit.c
+++ b/modules/pam_tty_audit/pam_tty_audit.c
+@@ -351,6 +351,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags, int argc, const char **argv)
+ 
+   fd = nl_open ();
+   if (fd == -1
+      && errno == EPROTONOSUPPORT)
+    {
+      pam_syslog (pamh, LOG_WARNING, "unable to open audit socket, audit not "
+                  "supported; tty_audit skipped");
+      free (old_status);
+      return PAM_IGNORE;
+    }
+  else if (fd == -1
+       || nl_send (fd, AUDIT_TTY_GET, 0, NULL, 0) != 0
+       || nl_recv (fd, AUDIT_TTY_GET, old_status, sizeof (*old_status)) != 0)
+     {
+-- 
+2.25.2
+
--- a/pam-1.3.1-pam-modutil-close-write.patch
+++ b/pam-1.3.1-pam-modutil-close-write.patch
@ -0,0 +1,74 @@
+From b6f73810a2e7afd02a231e2dfa14b05752c83db7 Mon Sep 17 00:00:00 2001
+From: "Dmitry V. Levin" <ldv@altlinux.org>
+Date: Wed, 26 Feb 2020 19:20:58 +0000
+Subject: [PATCH] pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of
+ PAM_MODUTIL_PIPE_FD
+
+When pam_modutil_sanitize_helper_fds() is invoked with
+PAM_MODUTIL_PIPE_FD to provide a dummy pipe descriptor for stdout
+or stderr, it closes the read end of the newly created dummy pipe.
+The negative side effect of this approach is that any write to such
+descriptor triggers a SIGPIPE.  Avoid this by closing the write end of
+the dummy pipe and using its read end as a dummy pipe descriptor for
+output.  Any read from such descriptor returns 0, and any write just
+fails with EBADF, which should work better with unprepared writers.
+
+* libpam/pam_modutil_sanitize.c (redirect_out_pipe): Remove.
+(redirect_out): Call redirect_in_pipe instead of redirect_out_pipe.
+
+Fixes: b0ec5d1e ("Introduce pam_modutil_sanitize_helper_fds")
+---
+ libpam/pam_modutil_sanitize.c | 30 +-----------------------------
+ 1 file changed, 1 insertion(+), 29 deletions(-)
+
+diff --git a/libpam/pam_modutil_sanitize.c b/libpam/pam_modutil_sanitize.c
+index 605c859d..58b9537c 100644
+--- a/libpam/pam_modutil_sanitize.c
+++ b/libpam/pam_modutil_sanitize.c
+@@ -46,34 +46,6 @@ redirect_in_pipe(pam_handle_t *pamh, int fd, const char *name)
+ 	return fd;
+ }
+ 
+-/*
+- * Creates a pipe, closes its read end, redirects fd to its write end.
+- * Returns fd on success, -1 otherwise.
+- */
+-static int
+-redirect_out_pipe(pam_handle_t *pamh, int fd, const char *name)
+-{
+-	int out[2];
+-
+-	if (pipe(out) < 0) {
+-		pam_syslog(pamh, LOG_ERR, "Could not create pipe: %m");
+-		return -1;
+-	}
+-
+-	close(out[0]);
+-
+-	if (out[1] == fd)
+-		return fd;
+-
+-	if (dup2(out[1], fd) != fd) {
+-		pam_syslog(pamh, LOG_ERR, "dup2 of %s failed: %m", name);
+-		fd = -1;
+-	}
+-
+-	close(out[1]);
+-	return fd;
+-}
+-
+ /*
+  * Opens /dev/null for writing, redirects fd there.
+  * Returns fd on success, -1 otherwise.
+@@ -106,7 +78,7 @@ redirect_out(pam_handle_t *pamh, enum pam_modutil_redirect_fd mode,
+ {
+ 	switch (mode) {
+ 		case PAM_MODUTIL_PIPE_FD:
+-			if (redirect_out_pipe(pamh, fd, name) < 0)
+			if (redirect_in_pipe(pamh, fd, name) < 0)
+ 				return -1;
+ 			break;
+ 		case PAM_MODUTIL_NULL_FD:
+-- 
+2.25.3
+
--- a/pam.spec
+++ b/pam.spec
@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 25%{?dist}
+Release: 26%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@ -63,6 +63,10 @@ Patch51: pam-1.3.1-authtok-verify-fix.patch
 Patch52: pam-1.3.1-add-pam_usertype.patch
 Patch53: pam-1.3.1-add-pam_usertype-fix-backport.patch
 Patch54: pam-1.3.1-pam_selinux-check-unknown-objects.patch
+# Upstreamed
+Patch55: pam-1.3.1-audit-error.patch
+# Upstreamed
+Patch56: pam-1.3.1-pam-modutil-close-write.patch

 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@ -167,6 +171,8 @@ cp %{SOURCE18} .
 %patch52 -p1 -b .add-pam_usertype
 %patch53 -p1 -b .add-pam_usertype-backport
 %patch54 -p1 -b .pam_selinux-check-unknown-objects
+%patch55 -p1 -b .audit-error
+%patch56 -p1 -b .pam-modutil-close-write

 autoreconf -i

@ -419,6 +425,10 @@ done
 %doc doc/sag/*.txt doc/sag/html

 %changelog
+* Thu May 14 2020 Iker Pedrosa <ipedrosa@redhat.com> 1.3.1-26
+- pam_tty_audit: if kernel audit is disabled return PAM_IGNORE (#1775357)
+- pam_modutil_sanitize_helper_fds: fix SIGPIPE effect of PAM_MODUTIL_PIPE_FD (#1791970)
+
 * Thu Apr 23 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-25
 - docs: splitted documentation in subpackage -docs