#41: pam_succeed_if doesnt test rhost or tty correctly ------------------------+------------------------------ Reporter: bentaylor | Owner: pam-developers@… Type: defect | Status: new Priority: major | Component: modules Version: | Keywords: pam_rhost Blocked By: | Blocking: ------------------------+------------------------------ there seems to be a bug in the pam_succeed_if module caused by copy/pasting and not replacing some consts. https://git.fedorahosted.org/cgit/linux- pam.git/tree/modules/pam_succeed_if/pam_succeed_if.c below, PAM_SERVICE should be PAM_RHOST and PAM_TTY in their respective blocks. this bug prevents pam conditions like this working: auth [success=1 default=ignore] pam_succeed_if.so rhost = 10.50.1.1 instead, the following rule incorrectly passes: auth [success=1 default=ignore] pam_succeed_if.so rhost = sshd ===================================== if (strcasecmp(left, "service") == 0) { const void *svc; if (pam_get_item(pamh, PAM_SERVICE, &svc) != PAM_SUCCESS || svc == NULL) svc = ""; snprintf(buf, sizeof(buf), "%s", (const char *)svc); left = buf; } if (strcasecmp(left, "ruser") == 0) { const void *ruser; if (pam_get_item(pamh, PAM_RUSER, &ruser) != PAM_SUCCESS || ruser == NULL) ruser = ""; snprintf(buf, sizeof(buf), "%s", (const char *)ruser); left = buf; user = buf; } if (strcasecmp(left, "rhost") == 0) { const void *rhost; if (pam_get_item(pamh, PAM_SERVICE, &rhost) != PAM_SUCCESS || rhost == NULL) rhost = ""; snprintf(buf, sizeof(buf), "%s", (const char *)rhost); left = buf; } if (strcasecmp(left, "tty") == 0) { const void *tty; if (pam_get_item(pamh, PAM_SERVICE, &tty) != PAM_SUCCESS || tty == NULL) tty = ""; snprintf(buf, sizeof(buf), "%s", (const char *)tty); left = buf; } -- Ticket URL: <https://fedorahosted.org/linux-pam/ticket/41> linux-pam <http://fedorahosted.org/linux-pam> The Linux-PAM (Pluggable Authentication Modules) project