Date: Mon, 30 Oct 2006 22:29:36 +0100 (CET) From: Dan Lukes <dan@obluda.cz> To: FreeBSD-gnats-submit@FreeBSD.org Cc: Stanislav Sedov <ssedov@mbsd.msk.ru> Subject: ports/104946: [ PATCH ] security/pam_af abend Message-ID: <200610302129.k9ULTawd091246@kulesh.obluda.cz> Resent-Message-ID: <200610302130.k9ULURRY044163@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 104946
>Category: ports
>Synopsis: [ PATCH ] security/pam_af abend
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Oct 30 21:30:26 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Dan Lukes
>Release: FreeBSD 6.1-RELEASE i386
>Organization:
Obludarium
>Environment:
ports/security/pam_af/Makefile,v 1.2 2006/10/01 20:05:53 stas
>Description:
1. security/pam_af abends when PAM_RHOST is NULL
2. pam_sm_setcred ignore the 'allow_on_error' parameter
>How-To-Repeat:
Install port, trigger the situation specified in description (login/su locally
or so for example)
>Fix:
The NULL host is processed as ""
--- patch-pam_af.c begins here ---
--- pam_af.c.ORIG Sun Oct 16 17:55:27 2005
+++ pam_af.c Mon Oct 30 22:25:41 2006
@@ -223,6 +223,10 @@
PAM_RETURN(pam_err_ret);
}
+ if (host == NULL) {
+ host="";
+ }
+
PAM_AF_LOG("processing host '%s'\n", (char *)host);
/* Fetch rule for host */
@@ -360,11 +364,14 @@
hostrec_t hstr;
const char *tmp;
int ret;
+ int pam_err_ret = PAM_SERVICE_ERR;/* Result in case of err. */
#ifdef _USE_SYSLOG_
openlog("pam_af", 0, LOG_AUTHPRIV);
#endif
+ if (pam_af_get_option(argc, argv, "allow_on_error") != NULL)
+ pam_err_ret = PAM_SUCCESS;
if ((tmp = pam_af_get_option(argc, argv, "statdb")) != NULL)
stdb = tmp;
@@ -376,9 +383,14 @@
#endif /* _SUN_PAM_ */
if (ret != PAM_SUCCESS) {
PAM_AF_LOGERR("can't get '%s' item\n", "PAM_RHOST");
- PAM_RETURN(PAM_SERVICE_ERR);
+ PAM_RETURN(pam_err_ret);
}
+ if (host == NULL) {
+ host="";
+ }
+
+
/* Open statistics database */
#ifdef O_EXLOCK
stdbp = dbm_open(stdb, O_RDWR | O_CREAT | O_EXLOCK, STATDB_PERM);
@@ -395,7 +407,7 @@
if (getuid() == 0) {
PAM_AF_LOGERR("can't open '%s' database: %s\n", \
stdb, strerror(errno));
- PAM_RETURN(PAM_CRED_UNAVAIL);
+ PAM_RETURN(pam_err_ret);
}
else
PAM_RETURN(PAM_SUCCESS);
@@ -407,7 +419,7 @@
PAM_AF_LOGERR("can't obtain exclusive lock on %s: %s\n",
stdb, strerror(errno));
dbm_close(stdbp);
- PAM_RETURN(PAM_CRED_UNAVAIL);
+ PAM_RETURN(pam_err_ret);
}
#endif
--- patch-pam_af.c ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200610302129.k9ULTawd091246>