767f761a2d
- Clarify upstreamed patches
187 lines
5.6 KiB
Diff
187 lines
5.6 KiB
Diff
From 16cebfeb30a8bd7c7dc269190a054c25b0f8d044 Mon Sep 17 00:00:00 2001
|
|
From: ikerexxe <ipedrosa@redhat.com>
|
|
Date: Tue, 15 Sep 2020 15:54:10 +0200
|
|
Subject: [PATCH 1/2] pam_motd: filter motd by user and group
|
|
|
|
modules/pam_motd/pam_motd.c: filter motd by user and group owning the
|
|
proper files. This is achieved by changing the ids of the process
|
|
reading the files from root to the target user.
|
|
|
|
Resolves:
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1861640
|
|
---
|
|
modules/pam_motd/pam_motd.c | 97 ++++++++++++++++++++++++++++---------
|
|
1 file changed, 75 insertions(+), 22 deletions(-)
|
|
|
|
diff --git a/modules/pam_motd/pam_motd.c b/modules/pam_motd/pam_motd.c
|
|
index 46f4fe61..a4fd0e59 100644
|
|
--- a/modules/pam_motd/pam_motd.c
|
|
+++ b/modules/pam_motd/pam_motd.c
|
|
@@ -282,6 +282,72 @@ static void try_to_display_directories_with_overrides(pam_handle_t *pamh,
|
|
_pam_drop(dirscans);
|
|
}
|
|
|
|
+static int drop_privileges(pam_handle_t *pamh, struct pam_modutil_privs *privs)
|
|
+{
|
|
+ struct passwd *pw;
|
|
+ const char *username;
|
|
+ int retval;
|
|
+
|
|
+ retval = pam_get_user(pamh, &username, "key user");
|
|
+
|
|
+ if (retval == PAM_SUCCESS) {
|
|
+ pw = pam_modutil_getpwnam (pamh, username);
|
|
+ } else {
|
|
+ return PAM_SESSION_ERR;
|
|
+ }
|
|
+
|
|
+ if (pw == NULL || pam_modutil_drop_priv(pamh, privs, pw)) {
|
|
+ return PAM_SESSION_ERR;
|
|
+ }
|
|
+
|
|
+ return PAM_SUCCESS;
|
|
+}
|
|
+
|
|
+static int try_to_display(pam_handle_t *pamh, char **motd_path_split,
|
|
+ unsigned int num_motd_paths,
|
|
+ char **motd_dir_path_split,
|
|
+ unsigned int num_motd_dir_paths, int report_missing)
|
|
+{
|
|
+ PAM_MODUTIL_DEF_PRIVS(privs);
|
|
+
|
|
+ if (drop_privileges(pamh, &privs) != PAM_SUCCESS) {
|
|
+ pam_syslog(pamh, LOG_ERR, "Unable to drop privileges");
|
|
+ return PAM_SESSION_ERR;
|
|
+ }
|
|
+
|
|
+ if (motd_path_split != NULL) {
|
|
+ unsigned int i;
|
|
+
|
|
+ for (i = 0; i < num_motd_paths; i++) {
|
|
+ int fd = open(motd_path_split[i], O_RDONLY, 0);
|
|
+
|
|
+ if (fd >= 0) {
|
|
+ try_to_display_fd(pamh, fd);
|
|
+ close(fd);
|
|
+
|
|
+ /* We found and displayed a file,
|
|
+ * move onto next filename.
|
|
+ */
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (motd_dir_path_split != NULL) {
|
|
+ try_to_display_directories_with_overrides(pamh,
|
|
+ motd_dir_path_split,
|
|
+ num_motd_dir_paths,
|
|
+ report_missing);
|
|
+ }
|
|
+
|
|
+ if (pam_modutil_regain_priv(pamh, &privs)) {
|
|
+ pam_syslog(pamh, LOG_ERR, "Unable to regain privileges");
|
|
+ return PAM_SESSION_ERR;
|
|
+ }
|
|
+
|
|
+ return PAM_SUCCESS;
|
|
+}
|
|
+
|
|
int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
|
int argc, const char **argv)
|
|
{
|
|
@@ -358,25 +424,9 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
|
}
|
|
}
|
|
|
|
- if (motd_path_split != NULL) {
|
|
- unsigned int i;
|
|
-
|
|
- for (i = 0; i < num_motd_paths; i++) {
|
|
- int fd = open(motd_path_split[i], O_RDONLY, 0);
|
|
-
|
|
- if (fd >= 0) {
|
|
- try_to_display_fd(pamh, fd);
|
|
- close(fd);
|
|
-
|
|
- /* We found and displayed a file, move onto next filename. */
|
|
- break;
|
|
- }
|
|
- }
|
|
- }
|
|
-
|
|
- if (motd_dir_path_split != NULL)
|
|
- try_to_display_directories_with_overrides(pamh, motd_dir_path_split,
|
|
- num_motd_dir_paths, report_missing);
|
|
+ retval = try_to_display(pamh, motd_path_split, num_motd_paths,
|
|
+ motd_dir_path_split, num_motd_dir_paths,
|
|
+ report_missing);
|
|
|
|
out:
|
|
_pam_drop(motd_path_copy);
|
|
@@ -384,9 +434,12 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
|
|
_pam_drop(motd_dir_path_copy);
|
|
_pam_drop(motd_dir_path_split);
|
|
|
|
- retval = pam_putenv(pamh, "MOTD_SHOWN=pam");
|
|
-
|
|
- return retval == PAM_SUCCESS ? PAM_IGNORE : retval;
|
|
+ if (retval == PAM_SUCCESS) {
|
|
+ retval = pam_putenv(pamh, "MOTD_SHOWN=pam");
|
|
+ return retval == PAM_SUCCESS ? PAM_IGNORE : retval;
|
|
+ } else {
|
|
+ return retval;
|
|
+ }
|
|
}
|
|
|
|
/* end of module definition */
|
|
--
|
|
2.26.2
|
|
|
|
|
|
From ad8b6feaf8ea989368676acaea905998a807986e Mon Sep 17 00:00:00 2001
|
|
From: ikerexxe <ipedrosa@redhat.com>
|
|
Date: Wed, 14 Oct 2020 11:30:00 +0200
|
|
Subject: [PATCH 2/2] pam_motd: document file filtering
|
|
|
|
modules/pam_motd/pam_motd.8.xml: document file filtering of motd
|
|
messages.
|
|
NEWS: annotate change.
|
|
---
|
|
NEWS | 3 +++
|
|
modules/pam_motd/pam_motd.8.xml | 5 +++--
|
|
2 files changed, 6 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/NEWS b/NEWS
|
|
index e8c0de87..c3b338e2 100644
|
|
--- a/NEWS
|
|
+++ b/NEWS
|
|
@@ -1,5 +1,8 @@
|
|
Linux-PAM NEWS -- history of user-visible changes.
|
|
|
|
+Release 1.5.0
|
|
+* pam_motd: read motd files with target user credentials skipping unreadable ones.
|
|
+
|
|
Release 1.4.0
|
|
* Multiple minor bug fixes and documentation improvements
|
|
* Fixed grammar of messages printed via pam_prompt
|
|
diff --git a/modules/pam_motd/pam_motd.8.xml b/modules/pam_motd/pam_motd.8.xml
|
|
index b533530b..0afd4c99 100644
|
|
--- a/modules/pam_motd/pam_motd.8.xml
|
|
+++ b/modules/pam_motd/pam_motd.8.xml
|
|
@@ -64,8 +64,9 @@
|
|
override files with the same name in <filename>/usr/lib/motd.d/</filename>.
|
|
</para>
|
|
<para>
|
|
- Files the in the directories listed above are displayed in
|
|
- lexicographic order by name.
|
|
+ Files in the directories listed above are displayed in lexicographic
|
|
+ order by name. Moreover, the files are filtered by reading them with the
|
|
+ credentials of the target user authenticating on the system.
|
|
</para>
|
|
<para>
|
|
To silence a message,
|
|
--
|
|
2.26.2
|
|
|