[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pwdb breakage



Michael K. Johnson wrote:
> One more related problem with pam_pwdb -- if a user's entry in /etc/passwd
> has a * (note: NOT an x), and the /etc/shadow entry is blank, the user,
> rather than being locked out, is let in without being queried for a password
> (assuming null_ok is set).
> 
> This is a security hole.  So, do I get my name on the web page as someone
> who has broken pam, and therefore deserves respect?  :-)

My feeling is that all of these are holes in libpwdb.

Below, I have attatched a spec file and set of patch files to apply against
libpwdb-0.54preD .  You can see what can be applied to 0.54preC (I no longer
have a copy of that..)  So far as I can tell, it fixes all of the problems
you have been experiencing.  __HOWEVER__, the patch to avoid the problem you
discuss above has the nasty side-effect of breaking the 'nullok' argument in
pam_pwdb.so (at least it does in the version I have in my tree at the
moment).

I'll have to think about this nullok side-effect some more, but in the
meantime I hope people will find these patches useful.

Cheers

Andrew

begin 644 pwdb-preD-F.tar.gz
M'XL(`%[-CS,``^T:V7+;1M*OPE>TM>N8-P'PDJ!(L2PJCG=M62M*FX=LB@4!
M0Q!E$$#A,,TDSK=O]PQ`'*2B(XJRFT*738HS/3W=/7T.,#D_/9ET_:5YW0E]
M9CS[(T"1Y6&_#\^`0"Y]`RC#D0HP[/5[HUZO/U)P1!GVU6<@_R'<E"`.(ST`
M>!9X7O1;>+?-_Y_")%XL]&"EP>6<P;D>ADLO,,'4(_U:#QDX]G6`T]*9OF`:
MD)E(_V9!:'NN!G)GT)<NF,,048-]Z<3S5X%MS2,-WIR_D\[UR)C+&CB>:[FX
MO./3@!A6-`BMA9,?4C6(;;-)IY$,OPF\V-?@-9*7QG88!?9U'/&=+YCYG1Y!
MOZ,@-Z[I!1J<!(AAZRZ\T6>1Y[;@:XO_\2KT`B^TPT[@'4D3+PX,Y'46^5JW
M&ZY"W5QT,H2N'U]W46(2,_UNDY1^P,8=8LSZ29)>F"PT`MLG5J0$"^P0%DQW
M(X@\\`/ODVTRT`&%<4T],.V?F`FV&[%@IAL,9EY`2%:@+T)P&3-MUY(67L`@
MFJ,$N`X''"001W/F1K:ATUX0&G.V8%"CY>RSOO`1Q?$LVX7EW#;FG%*(#$@?
M76\)^K471VL.(';MSRT(Y[I)<Z[9)2*?D'JL.\X*+H[';Z\FG4ZGC@*BN+[T
M(F11[$/;A;(F),DPT\&NC[K[W,4U_+2A[<LTV^ET\9_I&<F$DDTD(RJ.*+C7
M=6P[IK30/S*X.'\__7!^.?WVW?&;R>'NWPN_=P5.^P2(JO3"=E$TQY$B+T;1
M#<^==3NVY:(2I[K%!'**@UMZ820Y)J'9%OXVT&A=_)[9#@OQ1#T#UM8+%Z?'
MX_>G</+=\=F;TPF<7)R.WUY.!!;^%\$R^AQE/_R0_SV/%H[4C<.`C"<UH(Z^
M.11ZV\8ZW*'XA.T:3FPR3AVYY6Q#ET7)?C0@/9+_?[BZ.#F==(N^]SBT4\CB
M/_ZE\KBO]`=I_%?Z_5$OB?]]==0;T9#<>^KXC_YGZ>[->#-]83NKI^#H2<&T
M9S-HQ\'9AINO(R'_6$>OKFN':*,LZ!@;2]JI%=V^5FJWVP_8<N?;P(8Q,T`=
MH95H:D]#>U'V]X=2L]G\/?QPPN_U%?1D4!6MOZ_)>T1X)+UZ!6UEU!I!$S_W
MX-4K"7Z6N.4B'0A8]$EW#L0`YJC8B&`ZI6VF/F53$QJ4-@^D=KHBLLT61)9M
M'D"W`1%;^!ZE6`SE(LZ'/#]@9'(P"_"4.\4P':PZ4`OU&8M6=6ATI2:10_&F
MG."!^&V)W[^7-I<%8TP8I1)EF%P<=I`I@%+[=(%AUC.8F8RGP'6WOT>ZV]_'
M3])="JBX.'"+^OLB@="3&(5#L3%F(K%YK>&W8!>EWFW!5UR/(:96;U9#1NHM
M.+MZ]R[]E.N)3NY+BNMT"S$A\`QJ"<'GAW#^_?CU=')U@O%S4D^-@F#\83H^
M?7WU)J<.6EE055T8ECSDEB6/'DT]5B*3]0CZV4;+>C(%W3\VB?KFP>&IL/Q>
M$:JP<F>"Q>D_L)*#/LA#35:UOBQBR8."5)%V,4X-,`:J69S:X[Z&GWMK8R*C
MX7]@0$`=Z^"G13Y6@>!ZZ.,>5I4+W;(-\#V^+:`98"W*(`EAB>=WDR"&)X6]
MHAMAQTB1SO]!^9%.M[EU4FKN?/45CD6!P]SB5!V.0(%??H$B-?E'.#R$EXV7
M=6XS.[]IH8)#--("C58Q#I5!::[969KMHY2=U)JQMC/\U<-HH"/<WVRI.'^P
MT>86W\MD<^MV)K$K#':`)1JF5&VP]SL,-D^Y9*X]31UDYJK*+64/FO2UOS;8
M;B-1_,,26+JXNRWCWIHV[Y[[C#F6C8UL<DH"'Y(!"02!-:[5=@T,:,SL[))M
M)`$<]T9[7C,@?B:I!]9LD"_YY`M$E7RAG1I?DAUX?#U^_>'B\B!GF>CH2X;-
MI([_EPS"V,?V!QM0:DUC(0]\LZXA[D1N?B=Z'/W+IMMD88-'>)*(;W5V_/YT
M>G7VS[,/WY_5@:($5T0R^W:\GBM$E]MHW$PB+](E'B<*P/M$/#GP9OGS;O%0
M^4FW'?T:N^Q4MI2%YSY%K><-C&"IB`6!\_I\?3R>7IS^Z^IT<GG`C7Z@4(P>
MJ*6$G_"%Y'?)DG;1Y+V/V(";=A*E8\/`!A\-&3GGA0NRM:'I,ANYP&EM+7W0
MH.NEJBV7PP\W<W@;2B",MU$33D/^UJ@CU?81$HC9069EVQ<(9RPNV;"@G)N9
MS&$1JVUC_`LP)V2;JW_S.(;\.(;YX[B+E94<GZH=[J7U;'M!`4J8.9XSO[C!
M[O-FOQ6#6$G69M&C8.JX._*0="1H`OX2V>+"U0_*1KTL+BTIGHN)I/B0.(4I
M7<JY5ED9==Y]+#WW900S]"$B3\HA/^)%KRJ*7G64JU,PN'JNLRJ7'KC4CNAZ
MC7Q@?3-&P5<WJ%+!A&>[)K\B<ZTL<<SU(A6Z%X-KNGJ+7;J*P^+'P_E@?=-9
M3ALS?L3M(W^9]G&HZB3C%R?J=/9*X:R*",4*J+PX*8&*P^4:*&?)=RB%2MMO
M^$,96EDQ4^+N+FL+-=.-E.K"VY0][F[*7B_O;^L^&FY+P+G\FT<I==S^,M=O
M6Z4\GTOS/(4OV.*:!2$(!^:F:WB+!=H:\]'*(LQT`H4[=`C"YM<Y(8E?`L4V
M"W3T(,#2!U-+4E=S*\0%80L<';GW7+9VC+4FW(PAF5-Q8[X[DDEG$C]2]_BU
MA+J7[ZV%4-'"G^*1')05?(?BI9U)E4>PS8WH4RBGRKAI/-I8PQF@VXDY>B7^
MT^$3PZ.-+73^N6Y\)!V%<RPL/"RC+<.`I1ZXI'%QHVW:H4%7ZC0`:X<7UI"H
MN0-C'GM67HS%*R9X?MV+.";#0D5KUS%J&,GS`JMTX2$TTZ!J?IH$\%IAILYS
M)K8:"8*PZ]Z0SJ#9&RFYH_BREC7473M:(0F&\JT/&R-%EDYK%.&?;\D!(MMP
M7XH%"H;X.L:,++/>8VTN37`:4*"Q+0>5LUV1SC;T7-0H[5ZD4Z\_5KX1A=7^
M7DOI82Z79?K.1Q?['H5](1KE>XC-[N%F7TJC0"[9\\];^X%'*Y4W>XJ_3`4]
M5/NB9AM6-?3_1@T]Z/$#&0RVWV+F&LMR9.2-O7@D*K@JE&!WJ(M+Y>\6U#4W
MV7;7*U&=Y\W27V:%,D8L@7E3I4QT_^Q'-X\"Z?._XE/ZQ]WCEO<_5%E-G__U
M%`0`I2>/!M7['T\!=&.(48V_1]`Q.EY@6Z5G;+*BJ4KVC"U#+MSMJ9H\U/`<
MLT=FK3[6^:T!CP=_2QYHP]=A9#KV=6=^)#7_9K*9C17P='HU.9V^GHR+>)3I
M"2\W&+M8M)GE0:QU:8@V[5-'V>SOM=0^WW<'64VJ./%8H8;]2?*<)^K$D2@?
MR+]W*#,+GZ>;\>3*F[^I@=7L"XKS<12TCW"-;YMB"<6"=(/GV2U=<X>L.LV%
MN9:DB6N2*1>;I71M1IFXR1Y$E1BDE<F*'S91L%^$E_^17QXDV_,\ST/:NNE/
M%F,B/\PSRR4G&B]#$11YL^SQ]W:^X44*XF24,,[6\`_Z2N9$QYL2%<TL+_K2
M,B.W%[%&^RWG'NU#I1!5\KP7F,6N07>\W]"[2'8`5V_'6+=`[-+[+.[SE)6<
M'FXH#U-!.;I(:.*Y!.E]X6=ZS_%)J)SV5OV3%').A-HGC^Y9;MV\R"MBF+%?
MR^U:8/'GATB7'/>7Q$#2LR3EO@C1:->'3B:TWBA#]GBC19VE%ZQ$3?IGAZ0*
MGA#2_)^]CO?X>]R2_Z'7&U+^5P=#>:".^IC_5;4WK/+_4P#E__?8PM&;<+_R
M!]<?,&NI0_YVS;Y&?Z29/T7;N9S'<.P'H(PH[_>Q1,CG?5F\T)!T`CMD6"J]
M+2?><L-?]$`Z>6U.RXVV!:H?YL::8LS!K/P9VGZ1!K_5T>@!\0(:OT([F`&]
M@0<-_G)>`\E7H:R""BJHH((**JB@@@HJJ*"""BJHH((**JB@@@HJJ*"""BJH
3H((**JB@@K\X_!>3(S.W`%``````
`
end


-- 
               Linux-PAM, libpwdb, Orange-Linux and Linux-GSS
                  http://parc.power.net/morgan/index.html



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []