Compare commits
4 Commits
Author | SHA1 | Date |
---|---|---|
Björn Esser | 3513119870 | |
ipedrosa | 21bff18674 | |
ipedrosa | 0c883934f5 | |
Allison Karlitskaya | 2121d4effb |
|
@ -0,0 +1,66 @@
|
|||
From 62d826471e87e27b39a36ccbeee58999e2514a92 Mon Sep 17 00:00:00 2001
|
||||
From: Allison Karlitskaya <allison.karlitskaya@redhat.com>
|
||||
Date: Thu, 5 Nov 2020 14:06:53 +0100
|
||||
Subject: [PATCH] libpam: add supplementary groups on priv drop
|
||||
|
||||
Replace the setgroups(0, NULL) call in pam_modutil_drop_priv() with a
|
||||
call to initgroups(). This makes sure that the user's supplementary
|
||||
groups are also configured. Fall back to setgroups(0, NULL) in case the
|
||||
initgroups() call fails.
|
||||
|
||||
This fixes the permission check in pam_motd: this feature was intended
|
||||
to allow setting permissions on a motd file to prevent it from being
|
||||
shown to users who are not a member of a particular group (for example,
|
||||
wheel).
|
||||
|
||||
Closes #292
|
||||
---
|
||||
NEWS | 2 ++
|
||||
libpam/pam_modutil_priv.c | 17 +++++++++++++----
|
||||
2 files changed, 15 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/NEWS b/NEWS
|
||||
index d0f583e4..5f86660d 100644
|
||||
--- a/NEWS
|
||||
+++ b/NEWS
|
||||
@@ -2,6 +2,8 @@
|
||||
|
||||
Release 1.5.0
|
||||
* pam_motd: read motd files with target user credentials skipping unreadable ones.
|
||||
+* libpam: pam_modutil_drop_priv() now correctly sets the target user's
|
||||
+ supplementary groups, allowing pam_motd to filter messages accordingly
|
||||
|
||||
Release 1.4.0
|
||||
* Multiple minor bug fixes and documentation improvements
|
||||
diff --git a/libpam/pam_modutil_priv.c b/libpam/pam_modutil_priv.c
|
||||
index e22fab1a..a463e06a 100644
|
||||
--- a/libpam/pam_modutil_priv.c
|
||||
+++ b/libpam/pam_modutil_priv.c
|
||||
@@ -107,11 +107,20 @@ int pam_modutil_drop_priv(pam_handle_t *pamh,
|
||||
* We should care to leave process credentials in consistent state.
|
||||
* That is, e.g. if change_gid() succeeded but change_uid() failed,
|
||||
* we should try to restore old gid.
|
||||
+ *
|
||||
+ * We try to add the supplementary groups on a best-effort
|
||||
+ * basis. If it fails, it's not fatal: we fall back to using an
|
||||
+ * empty list.
|
||||
*/
|
||||
- if (setgroups(0, NULL)) {
|
||||
- pam_syslog(pamh, LOG_ERR,
|
||||
- "pam_modutil_drop_priv: setgroups failed: %m");
|
||||
- return cleanup(p);
|
||||
+ if (initgroups(pw->pw_name, pw->pw_gid)) {
|
||||
+ pam_syslog(pamh, LOG_WARNING,
|
||||
+ "pam_modutil_drop_priv: initgroups failed: %m");
|
||||
+
|
||||
+ if (setgroups(0, NULL)) {
|
||||
+ pam_syslog(pamh, LOG_ERR,
|
||||
+ "pam_modutil_drop_priv: setgroups failed: %m");
|
||||
+ return cleanup(p);
|
||||
+ }
|
||||
}
|
||||
if (change_gid(pw->pw_gid, &p->old_gid)) {
|
||||
pam_syslog(pamh, LOG_ERR,
|
||||
--
|
||||
2.28.0
|
||||
|
|
@ -0,0 +1,39 @@
|
|||
From 980d90c9232fe5325d1a4deddd42c597cf9e1a54 Mon Sep 17 00:00:00 2001
|
||||
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
||||
Date: Thu, 10 Jun 2021 14:00:00 +0000
|
||||
Subject: [PATCH] pam_unix: do not use crypt_checksalt when checking for
|
||||
password expiration
|
||||
|
||||
According to Zack Weinberg, the intended meaning of
|
||||
CRYPT_SALT_METHOD_LEGACY is "passwd(1) should not use this hashing
|
||||
method", it is not supposed to mean "force a password change on next
|
||||
login for any user with an existing stored hash using this method".
|
||||
|
||||
This reverts commit 4da9febc39b955892a30686e8396785b96bb8ba5.
|
||||
|
||||
* modules/pam_unix/passverify.c (check_shadow_expiry)
|
||||
[CRYPT_CHECKSALT_AVAILABLE]: Remove.
|
||||
|
||||
Closes: https://github.com/linux-pam/linux-pam/issues/367
|
||||
---
|
||||
modules/pam_unix/passverify.c | 6 ------
|
||||
1 file changed, 6 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
||||
index f6132f80..5a19ed85 100644
|
||||
--- a/modules/pam_unix/passverify.c
|
||||
+++ b/modules/pam_unix/passverify.c
|
||||
@@ -289,13 +289,7 @@ PAMH_ARG_DECL(int check_shadow_expiry,
|
||||
D(("account expired"));
|
||||
return PAM_ACCT_EXPIRED;
|
||||
}
|
||||
-#if defined(CRYPT_CHECKSALT_AVAILABLE) && CRYPT_CHECKSALT_AVAILABLE
|
||||
- if (spent->sp_lstchg == 0 ||
|
||||
- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_METHOD_LEGACY ||
|
||||
- crypt_checksalt(spent->sp_pwdp) == CRYPT_SALT_TOO_CHEAP) {
|
||||
-#else
|
||||
if (spent->sp_lstchg == 0) {
|
||||
-#endif
|
||||
D(("need a new password"));
|
||||
*daysleft = 0;
|
||||
return PAM_NEW_AUTHTOK_REQD;
|
|
@ -0,0 +1,98 @@
|
|||
From 30fdfb90d9864bcc254a62760aaa149d373fd4eb Mon Sep 17 00:00:00 2001
|
||||
From: Tomas Mraz <tmraz@fedoraproject.org>
|
||||
Date: Fri, 20 Nov 2020 13:38:23 +0100
|
||||
Subject: [PATCH] Second blank check with root for non-existent users must
|
||||
never return 1
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The commit af0faf66 ("pam_unix: avoid determining if user exists") introduced
|
||||
a regression where the blank check could return 1 if root had an empty
|
||||
password hash because in the second case the password hash of root was
|
||||
used. We now always return 0 in this case.
|
||||
|
||||
The issue was found by Johannes Löthberg.
|
||||
|
||||
Fixes #284
|
||||
|
||||
* modules/pam_unix/support.c (_unix_blankpasswd): Make the loop
|
||||
to cover the complete blank check so both existing and non existing
|
||||
cases are identical except for the possible return value.
|
||||
---
|
||||
modules/pam_unix/support.c | 39 +++++++++++++-------------------------
|
||||
1 file changed, 13 insertions(+), 26 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
|
||||
index d669e951..27ca7127 100644
|
||||
--- a/modules/pam_unix/support.c
|
||||
+++ b/modules/pam_unix/support.c
|
||||
@@ -601,8 +601,9 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name
|
||||
char *salt = NULL;
|
||||
int daysleft;
|
||||
int retval;
|
||||
- int execloop = 1;
|
||||
- int nonexistent = 1;
|
||||
+ int blank = 0;
|
||||
+ int execloop;
|
||||
+ int nonexistent_check = 1;
|
||||
|
||||
D(("called"));
|
||||
|
||||
@@ -632,43 +633,29 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name
|
||||
* are equal, making it more difficult to differentiate existing from
|
||||
* non-existing users.
|
||||
*/
|
||||
- while (execloop) {
|
||||
+ for (execloop = 0; execloop < 2; ++execloop) {
|
||||
retval = get_pwd_hash(pamh, name, &pwd, &salt);
|
||||
|
||||
if (retval == PAM_UNIX_RUN_HELPER) {
|
||||
- execloop = 0;
|
||||
- if(nonexistent) {
|
||||
- get_pwd_hash(pamh, "pam_unix_non_existent:", &pwd, &salt);
|
||||
- }
|
||||
- /* salt will not be set here so we can return immediately */
|
||||
if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS)
|
||||
- return 1;
|
||||
- else
|
||||
- return 0;
|
||||
+ blank = nonexistent_check;
|
||||
} else if (retval == PAM_USER_UNKNOWN) {
|
||||
name = "root";
|
||||
- nonexistent = 0;
|
||||
- } else {
|
||||
- execloop = 0;
|
||||
+ nonexistent_check = 0;
|
||||
+ continue;
|
||||
+ } else if (salt != NULL) {
|
||||
+ if (strlen(salt) == 0)
|
||||
+ blank = nonexistent_check;
|
||||
}
|
||||
- }
|
||||
-
|
||||
- /* Does this user have a password? */
|
||||
- if (salt == NULL) {
|
||||
- retval = 0;
|
||||
- } else {
|
||||
- if (strlen(salt) == 0)
|
||||
- retval = 1;
|
||||
- else
|
||||
- retval = 0;
|
||||
+ name = "pam_unix_non_existent:";
|
||||
+ /* non-existent user check will not affect the blank value */
|
||||
}
|
||||
|
||||
/* tidy up */
|
||||
-
|
||||
if (salt)
|
||||
_pam_delete(salt);
|
||||
|
||||
- return retval;
|
||||
+ return blank;
|
||||
}
|
||||
|
||||
int _unix_verify_password(pam_handle_t * pamh, const char *name
|
||||
--
|
||||
2.28.0
|
||||
|
26
pam.spec
26
pam.spec
|
@ -3,7 +3,7 @@
|
|||
Summary: An extensible library which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 1.4.0
|
||||
Release: 7%{?dist}
|
||||
Release: 11%{?dist}
|
||||
# The library is BSD licensed with option to relicense as GPLv2+
|
||||
# - this option is redundant as the BSD license allows that anyway.
|
||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||
|
@ -55,6 +55,12 @@ Patch61: pam-1.4.0-motd-privilege-message.patch
|
|||
# https://github.com/linux-pam/linux-pam/commit/50ab1eda259ff039922b2774895f09bf0a57e078
|
||||
# https://github.com/linux-pam/linux-pam/commit/51318fd423a8ab4456a278ef0aff6ad449aab916
|
||||
Patch62: pam-1.4.0-libpam-start-leak.patch
|
||||
# https://github.com/linux-pam/linux-pam/commit/62d826471e87e27b39a36ccbeee58999e2514a92
|
||||
Patch63: pam-1.4.0-drop-priv-initgroups.patch
|
||||
# https://github.com/linux-pam/linux-pam/commit/30fdfb90d9864bcc254a62760aaa149d373fd4eb
|
||||
Patch64: pam-1.4.0-unix-blank-check-with-root.patch
|
||||
# https://github.com/linux-pam/linux-pam/pull/368
|
||||
Patch65: https://github.com/linux-pam/linux-pam/pull/368.patch#/pam-1.4.0-no_crypt_checksalt_for_pw_expiration.patch
|
||||
|
||||
%global _pamlibdir %{_libdir}
|
||||
%global _moduledir %{_libdir}/security
|
||||
|
@ -72,6 +78,7 @@ Patch62: pam-1.4.0-libpam-start-leak.patch
|
|||
%global _performance_build 1
|
||||
|
||||
Requires: libpwquality >= 0.9.9
|
||||
BuildRequires: make
|
||||
BuildRequires: autoconf >= 2.60
|
||||
BuildRequires: automake, libtool
|
||||
BuildRequires: bison, flex, sed
|
||||
|
@ -149,6 +156,9 @@ cp %{SOURCE18} .
|
|||
%patch60 -p1 -b .unix-init-daysleft
|
||||
%patch61 -p1 -b .motd-privilege-message
|
||||
%patch62 -p1 -b .libpam-start-leak
|
||||
%patch63 -p1 -b .drop-priv-initgroups
|
||||
%patch64 -p1 -b .unix-blank-check-with-root
|
||||
%patch65 -p1 -b .no_crypt_checksalt_for_pw_expiration
|
||||
|
||||
autoreconf -i
|
||||
|
||||
|
@ -408,6 +418,20 @@ done
|
|||
%doc doc/sag/*.txt doc/sag/html
|
||||
|
||||
%changelog
|
||||
* Thu Jun 10 2021 Björn Esser <besser82@fedoraproject.org> - 1.4.0-11
|
||||
- Add a patch to not use crypt_checksalt for password expiration
|
||||
Resolves: #1965345, #1967150
|
||||
|
||||
* Fri Dec 4 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-10
|
||||
- Add BuildRequires: make (#1902520)
|
||||
|
||||
* Thu Nov 26 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-9
|
||||
- fix CVE-2020-27780: authentication bypass when the user doesn't exist
|
||||
and root password is blank (#1901173)
|
||||
|
||||
* Mon Nov 16 2020 Allison Karlitskaya <allison.karlitskaya@redhat.com> - 1.4.0-8
|
||||
- libpam: add supplementary groups on priv drop (#1896452)
|
||||
|
||||
* Fri Nov 6 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.4.0-7
|
||||
- libpam: fix memory leak in pam_start (#1894630)
|
||||
|
||||
|
|
Loading…
Reference in New Issue