[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: pam_access: repatch

From: Thorsten Kukuk <kukuk suse de>
To: pam-list redhat com
Subject: Re: pam_access: repatch
Date: Thu, 27 Sep 2007 07:01:33 +0200

On Thu, Sep 27, Julien Lecomte wrote:

>
> Hello,
>
> When I compiled the latest pam for my box, and them got locked out; I went 
> to look how my patch (posted 13 Jun 2007) had been applied.
>
> I remember that the "getpwuid" part didn't please you; and you actually 
> removed it from the patch applied.

Yes, because it is wrong and will not do what you expect. 

getuid() returns the real user ID of the current process, not the one
of the old or new user account. So getpwuid(getuid()) returns the
passwd entry of the current process owner, which does not need to have
anything to do with the old or new user.

So while the patch may work in your special situation, the result of
such a rule is not predictable in general, and thus it is a nogo for a
security relevant authentication tool.

  Thorsten


> diff -NBbaur Linux-PAM-0.99.8.1-pristine/modules/pam_access/pam_access.c Linux-PAM-0.99.8.1/modules/pam_access/pam_access.c
> --- Linux-PAM-0.99.8.1-pristine/modules/pam_access/pam_access.c	2007-06-25 11:59:11.000000000 +0200
> +++ Linux-PAM-0.99.8.1/modules/pam_access/pam_access.c	2007-09-27 00:24:30.000000000 +0200
> @@ -548,6 +552,7 @@
>      const char *string = item->from;
>      int        tok_len;
>      int        str_len;
> +    struct passwd *from_group;
>  
>      if (pam_access_debug)
>        pam_syslog (pamh, LOG_DEBUG,
> @@ -566,6 +571,12 @@
>  	return NO;
>      } else if (tok[0] == '@') {			/* netgroup */
>          return (netgroup_match (pamh, tok + 1, string, (char *) 0));
> +    } else if (tok[0] == '(' && tok[strlen(tok) - 1] == ')') { /* local group */
> +      /* get calling user's main group */
> +      from_group = getpwuid(getuid());
> +      if (!from_group)
> +	return NO;
> +      return group_match(pamh, tok, from_group->pw_name);
>      } else if (string_match(pamh, tok, string)) {
>          /* ALL or exact match */
>  	return (YES);

> _______________________________________________
> Pam-list mailing list
> Pam-list redhat com
> https://www.redhat.com/mailman/listinfo/pam-list

-- 
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)

Follow-Ups:
- Re: pam_access: repatch
  - From: Julien Lecomte

References:
- pam_access: repatch
  - From: Julien Lecomte

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]