rpms/pam/devel pam-0.99.10.0-unix-any-user.patch, NONE, 1.1 pam-0.99.10.0-unix-audit-failed.patch, NONE, 1.1 pam.spec, 1.171, 1.172

Tomas Mraz (tmraz) fedora-extras-commits at redhat.com
Fri Feb 22 15:50:28 UTC 2008 

Author: tmraz

Update of /cvs/pkgs/rpms/pam/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv28211

Modified Files:
	pam.spec 
Added Files:
	pam-0.99.10.0-unix-any-user.patch 
	pam-0.99.10.0-unix-audit-failed.patch 
Log Message:
* Fri Feb 22 2008 Tomas Mraz <tmraz at redhat.com> 0.99.10.0-2
- if shadow is readable for an user do not prevent him from
  authenticating any user with unix_chkpwd (#433459)
- call audit from unix_chkpwd when appropriate


pam-0.99.10.0-unix-any-user.patch:

--- NEW FILE pam-0.99.10.0-unix-any-user.patch ---
diff -up Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.any-user Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c
--- Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.any-user	2008-01-28 13:21:48.000000000 +0100
+++ Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c	2008-02-21 14:06:56.000000000 +0100
@@ -101,7 +101,10 @@ int main(int argc, char *argv[])
 	  /* if the caller specifies the username, verify that user
 	     matches it */
 	  if (strcmp(user, argv[1])) {
-	    return PAM_AUTH_ERR;
+	    user = argv[1];
+	    /* no match -> permanently change to the real user and proceed */
+	    if (setuid(getuid()) != 0)
+		return PAM_AUTH_ERR;
 	  }
 	}
 

pam-0.99.10.0-unix-audit-failed.patch:

--- NEW FILE pam-0.99.10.0-unix-audit-failed.patch ---
diff -up Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am.audit-failed Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am
--- Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am.audit-failed	2008-02-06 15:21:34.000000000 +0100
+++ Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am	2008-02-22 16:11:02.000000000 +0100
@@ -53,7 +53,7 @@ unix_chkpwd_SOURCES = unix_chkpwd.c md5_
 	passverify.c
 unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
 unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ 
-unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@
+unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
 
 unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
 	passverify.c
diff -up Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.audit-failed Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c
--- Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.audit-failed	2008-02-22 15:39:03.000000000 +0100
+++ Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c	2008-02-22 16:34:29.000000000 +0100
@@ -24,6 +24,10 @@
 #include <shadow.h>
 #include <signal.h>
 #include <time.h>
+#include <errno.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
 
 #include <security/_pam_types.h>
 #include <security/_pam_macros.h>
@@ -54,6 +58,37 @@ static int _check_expiry(const char *una
 	return retval;
 }
 
+static int _audit_log(int type, const char *uname, int rc)
+{
+#ifdef HAVE_LIBAUDIT
+	int audit_fd;
+
+	audit_fd = audit_open();
+	if (audit_fd < 0) {
+		/* You get these error codes only when the kernel doesn't have
+		 * audit compiled in. */
+		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
+			errno == EAFNOSUPPORT)
+			return PAM_SUCCESS;
+
+		helper_log_err(LOG_CRIT, "audit_open() failed: %m");
+		return PAM_AUTH_ERR;
+	}
+
+	rc = audit_log_acct_message(audit_fd, type, NULL, "PAM:unix_chkpwd",
+		uname, -1, NULL, NULL, NULL, rc == PAM_SUCCESS);
+	if (rc == -EPERM && geteuid() != 0) {
+		rc = 0;
+	}
+
+	audit_close(audit_fd);
+
+	return rc < 0 ? PAM_AUTH_ERR : PAM_SUCCESS;
+#else
+	return PAM_SUCCESS;
+#endif
+}
+
 int main(int argc, char *argv[])
 {
 	char pass[MAXPASS + 1];
@@ -82,6 +117,7 @@ int main(int argc, char *argv[])
 		helper_log_err(LOG_NOTICE
 		      ,"inappropriate use of Unix helper binary [UID=%d]"
 			 ,getuid());
+		_audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR);
 		fprintf(stderr
 		 ,"This binary is not designed for running in this way\n"
 		      "-- the system administrator has been informed\n");
@@ -118,9 +154,10 @@ int main(int argc, char *argv[])
 	  nullok = 1;
 	else if (strcmp(option, "nonull") == 0)
 	  nullok = 0;
-	else
+	else {
+	  _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR);
 	  return PAM_SYSTEM_ERR;
-
+	}
 	/* read the password from stdin (a pipe from the pam_unix module) */
 
 	npass = read_passwords(STDIN_FILENO, 1, passwords);
@@ -141,11 +178,16 @@ int main(int argc, char *argv[])
 	/* return pass or fail */
 
 	if (retval != PAM_SUCCESS) {
-		if (!nullok || !blankpass)
+		if (!nullok || !blankpass) {
 			/* no need to log blank pass test */
+			if (getuid() != 0)
+				_audit_log(AUDIT_USER_AUTH, user, PAM_AUTH_ERR);
 			helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user);
+		}
 		return PAM_AUTH_ERR;
 	} else {
+		if (getuid() != 0)
+			return _audit_log(AUDIT_USER_AUTH, user, PAM_SUCCESS);
 		return PAM_SUCCESS;
 	}
 }


Index: pam.spec
===================================================================
RCS file: /cvs/pkgs/rpms/pam/devel/pam.spec,v
retrieving revision 1.171
retrieving revision 1.172
diff -u -r1.171 -r1.172
--- pam.spec	15 Feb 2008 17:27:28 -0000	1.171
+++ pam.spec	22 Feb 2008 15:49:55 -0000	1.172
@@ -5,7 +5,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.10.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -26,6 +26,8 @@
 Patch2:  db-4.6.18-glibc.patch
 Patch4:  pam-0.99.8.1-dbpam.patch
 Patch5:  pam-0.99.8.1-audit-no-log.patch
+Patch20: pam-0.99.10.0-unix-any-user.patch
+Patch21: pam-0.99.10.0-unix-audit-failed.patch
 Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
 Patch32: pam-0.99.3.0-tally-fail-close.patch
 Patch42: pam-0.99.8.1-console-hal-handled.patch
@@ -100,6 +102,8 @@
 popd
 %patch4 -p1 -b .dbpam
 %patch5 -p1 -b .no-log
+%patch20 -p1 -b .any-user
+%patch21 -p1 -b .audit-failed
 %patch31 -p1 -b .try-first-pass
 %patch32 -p1 -b .fail-close
 %patch42 -p1 -b .hal-handled
@@ -374,6 +378,11 @@
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Fri Feb 22 2008 Tomas Mraz <tmraz at redhat.com> 0.99.10.0-2
+- if shadow is readable for an user do not prevent him from
+  authenticating any user with unix_chkpwd (#433459)
+- call audit from unix_chkpwd when appropriate
+
 * Fri Feb 15 2008 Tomas Mraz <tmraz at redhat.com> 0.99.10.0-1
 - new upstream release
 - add default soft limit for nproc of 1024 to prevent

More information about the fedora-extras-commits mailing list