[linux-pam] #46: Fix build with musl libc
by fedora-badges
#46: Fix build with musl libc
----------------------+------------------------------
Reporter: yousong | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: library
Version: | Keywords:
Blocked By: | Blocking:
----------------------+------------------------------
Hi, patch files in the attachments are produced when building libpam
within OpenWrt. Not long ago, OpenWrt switched to musl as the default
libc which is relatively and different from other implementations, e.g.
crypt() function is part of musl-libc itself, many old functions are
dropped from the implementation, etc.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/46>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
8 years
[linux-pam] #53: pam_lastlog should have option to resolve hostname
by fedora-badges
#53: pam_lastlog should have option to resolve hostname
--------------------------+------------------------------
Reporter: chowbok | Owner: pam-developers@…
Type: enhancement | Status: new
Priority: trivial | Component: modules
Version: 1.2.x | Keywords:
Blocked By: | Blocking:
--------------------------+------------------------------
pam_lastlog should be able to report what host the user last logged in
from, not just the IP. It would be very cool if this could be added as an
option.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/53>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
8 years
Raise salt length for the sha2 password hashes
by Tomas Mraz
Hello,
currently pam_unix hardcodes the new salt length when password is
changed to be 8 characters - this makes it due to the limitation to 64
only possible characters to be 48 bits long. This is slightly lower than
can be considered as long enough for any paranoid. I propose to make it
12 characters which should satisfy any paranoid person as rainbow tables
of 2^72 hashes for each tested password can hardly be created in the
foreseeable future.
Or do you think that the current salt length should be sufficient and
stay as is?
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
8 years, 3 months
Relax the conditions for failure on auditing
by Tomas Mraz
I discussed with Steve Grubb who is the libaudit and auditd author to
relax the conditions for failure on auditing. Currently the audit
failure is non-fatal only in case the error return from libaudit is
-EPERM and the real uid is 0. That works fine for screensavers and other
non-root applications however if more fine grained capability handling
is used and in containers this does not work well. We agreed that the
check for real uid should be dropped and treat the -EPERM as nonfatal
error as it can only happen intentionally or because of misconfiguration
(for example a bug in SELinux policy). It should not be possible to
trigger it on demand of attacker.
This patch achieves the above. OK to commit it?
diff --git a/libpam/pam_audit.c b/libpam/pam_audit.c
index 24fb799..97a9a92 100644
--- a/libpam/pam_audit.c
+++ b/libpam/pam_audit.c
@@ -53,7 +53,7 @@ _pam_audit_writelog(pam_handle_t *pamh, int audit_fd, int type,
pamh->audit_state |= PAMAUDIT_LOGGED;
if (rc < 0) {
- if (rc == -EPERM && getuid() != 0)
+ if (rc == -EPERM)
return 0;
if (errno != old_errno) {
old_errno = errno;
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
8 years, 4 months
Re: libpam_1.2.1 and CVE-2010-4708
by Tomas Mraz
On Po, 2015-12-14 at 16:40 +0000, Tupe, Amol (Amol) wrote:
> Hello,
> I was looking in source code of libpam 1.2.1 ( Linux-PAM-1.2.1/modules/pam_env/pam_env.c) and I don't see fix for
> Security vulnerability issue CVE-2010-4708.
>
> Should not DEFAULT_USER_READ_ENVFILE be defined as
> #define DEFAULT_USER_READ_ENVFILE 1
>
> Please suggest if this security issue is fix in different way in release 1.2.1 Or
> I still need a patch for CVE-2010-4708 ?
Yes, it is true that the default was never changed to not read the file
in the Linux-PAM upstream. It was however disputed whether the
vulnerability is real as the environment variables are not set into the
process environment but only PAM environment which normally does not
affect the modules. So the default was kept to 1.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
8 years, 4 months
pam_tally2: Always report the tally count in syslog
by Tomas Mraz
The attached patch makes pam_tally2 to always report the tally count in
syslog for debugging purposes with LOG_DEBUG level. It can be useful to
track the tally count for simultaneous login attempts. I've used
LOG_DEBUG level for the added messages as the purpose is really rather
for debugging than anything else.
OK to commit?
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
8 years, 4 months