[linux-pam] #41: pam_succeed_if doesnt test rhost or tty correctly
by fedora-badges
#41: pam_succeed_if doesnt test rhost or tty correctly
------------------------+------------------------------
Reporter: bentaylor | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: modules
Version: | Keywords: pam_rhost
Blocked By: | Blocking:
------------------------+------------------------------
there seems to be a bug in the pam_succeed_if module caused by
copy/pasting and not replacing some consts.
https://git.fedorahosted.org/cgit/linux-
pam.git/tree/modules/pam_succeed_if/pam_succeed_if.c
below, PAM_SERVICE should be PAM_RHOST and PAM_TTY in their respective
blocks.
this bug prevents pam conditions like this working:
auth [success=1 default=ignore] pam_succeed_if.so rhost = 10.50.1.1
instead, the following rule incorrectly passes:
auth [success=1 default=ignore] pam_succeed_if.so rhost = sshd
=====================================
if (strcasecmp(left, "service") == 0) {
const void *svc;
if (pam_get_item(pamh, PAM_SERVICE, &svc) != PAM_SUCCESS
||
svc == NULL)
svc = "";
snprintf(buf, sizeof(buf), "%s", (const char *)svc);
left = buf;
}
if (strcasecmp(left, "ruser") == 0) {
const void *ruser;
if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS
||
ruser == NULL)
ruser = "";
snprintf(buf, sizeof(buf), "%s", (const char *)ruser);
left = buf;
user = buf;
}
if (strcasecmp(left, "rhost") == 0) {
const void *rhost;
if (pam_get_item(pamh, PAM_SERVICE, &rhost) != PAM_SUCCESS
||
rhost == NULL)
rhost = "";
snprintf(buf, sizeof(buf), "%s", (const char *)rhost);
left = buf;
}
if (strcasecmp(left, "tty") == 0) {
const void *tty;
if (pam_get_item(pamh, PAM_SERVICE, &tty) != PAM_SUCCESS
||
tty == NULL)
tty = "";
snprintf(buf, sizeof(buf), "%s", (const char *)tty);
left = buf;
}
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/41>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
9 years, 6 months
pam_succeed_if: do not overflow when comparing uid and gid values
by Tomas Mraz
pam_succeed_if can overflow to negative number when comparing high uid
and gid values. As uid_t and gid_t is 32 bit unsigned integer when it is
read back with strtol() on 32 bit machines it will not support values
over 2^31 and on 64 bit machines the comparison functions convert the
long value to int which makes the values over 2^31 to become negative.
The attached patch corrects it by using long long and stroll().
We could also use unsigned long instead of long long but if we would
like to add in future some signed integer to the values supported by
pam_succeed_if it would be limiting.
OK, to commit?
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
9 years, 6 months