#41: pam_succeed_if doesnt test rhost or tty correctly
------------------------+------------------------------
Reporter: bentaylor | Owner: pam-developers@…
Type: defect | Status: new
Priority: major | Component: modules
Version: | Keywords: pam_rhost
Blocked By: | Blocking:
------------------------+------------------------------
there seems to be a bug in the pam_succeed_if module caused by
copy/pasting and not replacing some consts.
https://git.fedorahosted.org/cgit/linux-
pam.git/tree/modules/pam_succeed_if/pam_succeed_if.c
below, PAM_SERVICE should be PAM_RHOST and PAM_TTY in their respective
blocks.
this bug prevents pam conditions like this working:
auth [success=1 default=ignore] pam_succeed_if.so rhost = 10.50.1.1
instead, the following rule incorrectly passes:
auth [success=1 default=ignore] pam_succeed_if.so rhost = sshd
=====================================
if (strcasecmp(left, "service") == 0) {
const void *svc;
if (pam_get_item(pamh, PAM_SERVICE, &svc) != PAM_SUCCESS
||
svc == NULL)
svc = "";
snprintf(buf, sizeof(buf), "%s", (const char *)svc);
left = buf;
}
if (strcasecmp(left, "ruser") == 0) {
const void *ruser;
if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS
||
ruser == NULL)
ruser = "";
snprintf(buf, sizeof(buf), "%s", (const char *)ruser);
left = buf;
user = buf;
}
if (strcasecmp(left, "rhost") == 0) {
const void *rhost;
if (pam_get_item(pamh, PAM_SERVICE, &rhost) != PAM_SUCCESS
||
rhost == NULL)
rhost = "";
snprintf(buf, sizeof(buf), "%s", (const char *)rhost);
left = buf;
}
if (strcasecmp(left, "tty") == 0) {
const void *tty;
if (pam_get_item(pamh, PAM_SERVICE, &tty) != PAM_SUCCESS
||
tty == NULL)
tty = "";
snprintf(buf, sizeof(buf), "%s", (const char *)tty);
left = buf;
}
--
Ticket URL: <
https://fedorahosted.org/linux-pam/ticket/41>
linux-pam <
http://fedorahosted.org/linux-pam>
The Linux-PAM (Pluggable Authentication Modules) project