10.1 BETA2 World - Breaks saslauthd
Andriy Gapon
avg at FreeBSD.org
Fri Sep 26 16:01:08 UTC 2014
On 26/09/2014 10:08, Dag-Erling Smørgrav wrote:
> Brandon Allbery <allbery.b at gmail.com> writes:
>> To me the implication is that before the MFC, PAM had a potentially
>> quite severe security issue involving either incorrect fallback to a
>> default configuration or not correctly handling error returns from a
>> PAM stack --- either of which could result in unauthorized users being
>> permitted access.
>
> No, that's a different issue. This patch fixes a potential segfault
> (see http://bugs.freebsd.org/83099). However, I have recevied reports
> that gdm (amongst others) actually want to be able to call
> pam_login_access without a host or tty. The following patch makes that
> possible:
>
> Index: lib/libpam/modules/pam_login_access/pam_login_access.c
> ===================================================================
> --- lib/libpam/modules/pam_login_access/pam_login_access.c (revision 272101)
> +++ lib/libpam/modules/pam_login_access/pam_login_access.c (working copy)
> @@ -94,8 +94,10 @@
> PAM_VERBOSE_ERROR("%s is not allowed to log in on %s",
> user, tty);
> } else {
> - PAM_VERBOSE_ERROR("PAM_RHOST or PAM_TTY required");
> - return (PAM_AUTHINFO_UNAVAIL);
> + PAM_LOG("Checking login.access for user %s", user);
> + if (login_access(user, "***unknown***") != 0)
> + return (PAM_SUCCESS);
> + PAM_VERBOSE_ERROR("%s is not allowed to log in", user);
> }
>
> return (PAM_AUTH_ERR);
>
> Please test and report as soon as possible so I can get it into 10.
BTW, I think that chatted about this topic (no host, no tty) a long time ago and
back then you suggested that PAM_IGNORE could be returned for that combination.
I do not know much about PAM, so I can't evaluate neither the current code nor
that hypothetical alternative. So, this is just a reminder about some old ideas.
--
Andriy Gapon
More information about the freebsd-stable
mailing list