[linux-pam] #46: Fix build with musl libc
by fedora-badges
#46: Fix build with musl libc
----------------------+------------------------------
Reporter: yousong | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: library
Version: | Keywords:
Blocked By: | Blocking:
----------------------+------------------------------
Hi, patch files in the attachments are produced when building libpam
within OpenWrt. Not long ago, OpenWrt switched to musl as the default
libc which is relatively and different from other implementations, e.g.
crypt() function is part of musl-libc itself, many old functions are
dropped from the implementation, etc.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/46>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
7 years, 12 months
Raise salt length for the sha2 password hashes
by Tomas Mraz
Hello,
currently pam_unix hardcodes the new salt length when password is
changed to be 8 characters - this makes it due to the limitation to 64
only possible characters to be 48 bits long. This is slightly lower than
can be considered as long enough for any paranoid. I propose to make it
12 characters which should satisfy any paranoid person as rainbow tables
of 2^72 hashes for each tested password can hardly be created in the
foreseeable future.
Or do you think that the current salt length should be sufficient and
stay as is?
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
8 years, 2 months
[linux-pam] #45: Premature thread wake up on successful pam_authenticate call
by fedora-badges
#45: Premature thread wake up on successful pam_authenticate call
---------------------+------------------------------
Reporter: igleyy | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: library
Version: | Keywords:
Blocked By: | Blocking:
---------------------+------------------------------
For given example code, thread which should sleep for given period of time
is prematurely woken up upon successful pam_authenticate call.
Environment:[[BR]]
Linux Mint 16[[BR]]
libpamc.so.0.82.1[[BR]]
libpam_misc.so.0.82.0[[BR]]
libpam.so.0.83.0[[BR]]
g++ (Ubuntu/Linaro 4.8.1-10ubuntu9) 4.8.1[[BR]]
Code:
{{{
#include <security/pam_appl.h>
#include <security/pam_misc.h>
#include <pthread.h>
#include <iostream>
static struct pam_conv conv = {
misc_conv,
NULL
};
void* thread_func(void* foo) {
int i = 0;
std::cout << "Start thread func stuff " << i++ << std::endl;
while (1) {
std::cout << "Thread func stuff " << i++ << std::endl;
sleep(1000000);
}
}
int main ()
{
pthread_t th;
int th_ret;
th_ret = pthread_create( &th, NULL, thread_func, (void*) NULL);
if (th_ret) {
std::cout << "pthread_create failed: " << th_ret << std::endl;
exit(1);
}
pam_handle_t* pamh;
struct pam_conv pamc;
/* Set up the PAM conversation. */
pamc.conv = &misc_conv;
pamc.appdata_ptr = NULL;
/* Start a new authentication session. */
pam_start ("passwd", "myusername", &pamc, &pamh);
/* Authenticate the user. */
if (pam_authenticate (pamh, 0) != PAM_SUCCESS)
std::cout << "Authentication failed!" << std::endl;
else
std::cout << "Authentication OK" << std::endl;
/* All done. */
pam_end (pamh, 0);
while(1) {} /* Prevent application finish. */
return 0;
}
}}}
Compiled with
{{{
g++ -g pamexample.c -pthread -lpam -lpam_misc
}}}
For my local user and correct password I get following output:
{{{
./a.out
Start thread func stuff 0
Thread func stuff 1
Password:
Thread func stuff 2
Thread func stuff 3
Thread func stuff 4
Thread func stuff 5
Thread func stuff 6
Authentication OK
}}}
For unsuccessful pam_authenticate calls output is correct. Output for
given example is correct on SLES 11.3, Ubuntu 14.04. Please let me know if
you need more information.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/45>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
8 years, 6 months
[linux-pam] #50: quieter pam_succeed_if when user unknown
by fedora-badges
#50: quieter pam_succeed_if when user unknown
--------------------------+------------------------------
Reporter: tomgreen66 | Owner: pam-developers@…
Type: enhancement | Status: new
Priority: minor | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
--------------------------+------------------------------
'''ENHANCEMENT'''
It seems if a user is unknown by pam_succeed_if it will report even in
quiet mode:
{{{
pam_succeed_if(sshd:auth): error retrieving information about user <user>
}}}
There was a patch submitted via a mailing list here:
[https://www.redhat.com/archives/pam-list/2009-December/msg00011.html]
which seemed to fit this purpose - not sure whether it was ever officially
submitted and rejected or it was just lost.
I tend to get this message being flagged by monitoring systems and rather
than filter it out I feel its better quiet did what is expected.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/50>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
8 years, 7 months
[PATCH] Add support for defining missing funcitonality
by Khem Raj
In order to support alternative libc on linux ( musl, bioninc ) etc we
need to check for glibc-only features and provide alternatives, in this
list strndupa is first one, when configure detects that its not included
in system C library then the altrnative implementation from missing.h is
used
Signed-off-by: Khem Raj <raj.khem(a)gmail.com>
---
configure.ac | 3 +++
libpam/include/missing.h | 12 ++++++++++++
modules/pam_exec/pam_exec.c | 1 +
3 files changed, 16 insertions(+)
create mode 100644 libpam/include/missing.h
diff --git a/configure.ac b/configure.ac
index 9e1257f..cbed979 100644
--- a/configure.ac
+++ b/configure.ac
@@ -599,6 +599,9 @@ dnl
AC_CHECK_DECL(__NR_keyctl, [have_key_syscalls=1],[have_key_syscalls=0],[#include <sys/syscall.h>])
AC_CHECK_DECL(ENOKEY, [have_key_errors=1],[have_key_errors=0],[#include <errno.h>])
+# musl and bionic don't have strndupa
+AC_CHECK_DECLS_ONCE([strndupa])
+
HAVE_KEY_MANAGEMENT=0
if test $have_key_syscalls$have_key_errors = 11
then
diff --git a/libpam/include/missing.h b/libpam/include/missing.h
new file mode 100644
index 0000000..3cf011c
--- /dev/null
+++ b/libpam/include/missing.h
@@ -0,0 +1,12 @@
+#pragma once
+
+#if !HAVE_DECL_STRNDUPA
+#define strndupa(s, n) \
+ ({ \
+ const char *__old = (s); \
+ size_t __len = strnlen(__old, (n)); \
+ char *__new = alloca(__len + 1); \
+ __new[__len] = '\0'; \
+ memcpy(__new, __old, __len); \
+ })
+#endif
diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
index 17ba6ca..3aa2694 100644
--- a/modules/pam_exec/pam_exec.c
+++ b/modules/pam_exec/pam_exec.c
@@ -59,6 +59,7 @@
#include <security/pam_modutil.h>
#include <security/pam_ext.h>
#include <security/_pam_macros.h>
+#include <missing.h>
#define ENV_ITEM(n) { (n), #n }
static struct {
--
2.1.4
8 years, 7 months
[linux-pam] #47: [PATCH] pam_timestamp: File descriptor leak
by fedora-badges
#47: [PATCH] pam_timestamp: File descriptor leak
-----------------------+------------------------------
Reporter: avalluri | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: modules
Version: 1.1.x | Keywords:
Blocked By: | Blocking:
-----------------------+------------------------------
I have attached a patch that fixes file descriptor leak in pam_timestamp
module(hmac_key_create).
This is my first patch to linux-pam, Please guide me if this is not the
way to submit the patch.
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/47>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
8 years, 7 months
[linux-pam] #48: auks support for pam_namespace
by fedora-badges
#48: auks support for pam_namespace
--------------------------+------------------------------
Reporter: wichert | Owner: pam-developers@…
Type: enhancement | Status: new
Priority: major | Component: modules
Version: | Keywords:
Blocked By: | Blocking:
--------------------------+------------------------------
I made a patch which extends pam_namespace to add unionfs support (via
aufs). This makes it possible to provide a private version of a directory
that is writeable for the user. Configuration is simple: all you need to
do is add a “unionfs” option in namespace.conf. In my test system the
entry looks like this:
{{{
$HOME /private/home/ tmpfs:union,mntopts=size=128m root
}}}
With this line pam_namespace does the following:
when using tmpfs with the union option or a different method an instance
directory is created
when using the union option the bind mount is replaced with an aufs mount
which adds the instance directory as a branch on top of the
polyinstantiated directory
--
Ticket URL: <https://fedorahosted.org/linux-pam/ticket/48>
linux-pam <http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project
8 years, 8 months
Memory leaks in pam_modutil_getpw/gr family of functions
by Valluri, Amarnath
Hello pam-devels,
In library code, the dynamically allocated(realloc) memory returned by pam_modutil_getgrnam/pid() pma_modutil_getpwnam/uid() functions, ie., struct group*, struct passwd* respectively is never been freed, so it leaks the memory quiet many modules which uses these functions.
Can someone help me understanding this, if this is intentional or a bug?
Please ignore and point me to the link, if this was already discussed. I failed to find the mail-archives related to this.
Thanks,
Amarnath
---------------------------------------------------------------------
Intel Finland Oy
Registered Address: PL 281, 00181 Helsinki
Business Identity Code: 0357606 - 4
Domiciled in Helsinki
This e-mail and any attachments may contain confidential material for
the sole use of the intended recipient(s). Any review or distribution
by others is strictly prohibited. If you are not the intended
recipient, please contact the sender and delete all copies.
8 years, 8 months