Date: Fri, 6 Jul 2012 17:17:25 GMT From: Zak Blacher <zblacher@sandvine.com> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/169686: Made OPIE support tunable at kernel level Message-ID: <201207061717.q66HHPgb096148@red.freebsd.org> Resent-Message-ID: <201207061720.q66HK2Su028143@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 169686 >Category: misc >Synopsis: Made OPIE support tunable at kernel level >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jul 06 17:20:02 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Zak Blacher >Release: releng 8.3 >Organization: Sandvine Corporation >Environment: FreeBSD xxxxxxxx.sandvine.com 8.1-RELEASE FreeBSD 8.1-RELEASE (GENERIC amd64) amd64 >Description: re: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 Added option to completely remove opie related libraries and executables. >How-To-Repeat: >Fix: Patch attached with submission follows: Index: usr.bin/telnet/Makefile =================================================================== --- usr.bin/telnet/Makefile (revision 238165) +++ usr.bin/telnet/Makefile (working copy) @@ -10,7 +10,7 @@ SRCS= commands.c main.c network.c ring.c sys_bsd.c \ telnet.c terminal.c utilities.c -CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK -DOPIE \ +CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK \ -I${TELNETDIR} -I${TELNETDIR}/libtelnet/ .if ${MK_INET6_SUPPORT} != "no" @@ -47,4 +47,8 @@ .endif .endif +.if ${MK_OPIE_SUPPORT} != "no" +CFLAGS+= -DOPIE +.endif + .include <bsd.prog.mk> Index: usr.bin/Makefile =================================================================== --- usr.bin/Makefile (revision 238165) +++ usr.bin/Makefile (working copy) @@ -143,9 +143,9 @@ nohup \ ${_nslookup} \ ${_nsupdate} \ - opieinfo \ - opiekey \ - opiepasswd \ + ${_opieinfo} \ + ${_opiekey} \ + ${_opiepasswd} \ pagesize \ passwd \ paste \ @@ -178,7 +178,6 @@ split \ stat \ su \ - systat \ tabs \ tail \ talk \ @@ -391,4 +390,10 @@ _smbutil= smbutil .endif +.if ${MK_OPIE_SUPPORT} != "no" +_opieinfo= opieinfo +_opiekey= opiekey +_opiepasswd= opiepasswd +.endif + .include <bsd.subdir.mk> Index: share/mk/bsd.own.mk =================================================================== --- share/mk/bsd.own.mk (revision 238165) +++ share/mk/bsd.own.mk (working copy) @@ -372,6 +372,7 @@ OBJC \ OPENSSH \ OPENSSL \ + OPIE \ PAM \ PF \ PKGTOOLS \ @@ -521,6 +522,7 @@ KERBEROS \ KVM \ NETGRAPH \ + OPIE \ PAM \ WIRELESS .if defined(WITH_${var}_SUPPORT) && defined(WITHOUT_${var}_SUPPORT) Index: share/mk/bsd.libnames.mk =================================================================== --- share/mk/bsd.libnames.mk (revision 238165) +++ share/mk/bsd.libnames.mk (working copy) @@ -101,7 +101,11 @@ LIBNGATM?= ${DESTDIR}${LIBDIR}/libngatm.a LIBNVPAIR?= ${DESTDIR}${LIBDIR}/libnvpair.a LIBOBJC?= ${DESTDIR}${LIBDIR}/libobjc.a +.if ${MK_OPIE_SUPPORT} != "no" LIBOPIE?= ${DESTDIR}${LIBDIR}/libopie.a +LIBPAM+= ${LIBOPIE} +MINUSLPAM+= -lopie +.endif # The static PAM library doesn't know its secondary dependencies, # so we have to specify them explicitly. @@ -116,7 +120,7 @@ LIBPAM+= ${LIBRADIUS} ${LIBTACPLUS} ${LIBCRYPT} \ ${LIBUTIL} ${LIBOPIE} ${LIBMD} MINUSLPAM+= -lradius -ltacplus -lcrypt \ - -lutil -lopie -lmd + -lutil -lmd .if ${MK_OPENSSH} != "no" LIBPAM+= ${LIBSSH} ${LIBCRYPTO} ${LIBCRYPT} MINUSLPAM+= -lssh -lcrypto -lcrypt Index: lib/Makefile =================================================================== --- lib/Makefile (revision 238165) +++ lib/Makefile (working copy) @@ -82,7 +82,7 @@ ${_libmp} \ ${_libncp} \ ${_libngatm} \ - libopie \ + ${_libopie} \ libpam \ libpcap \ ${_libpmc} \ @@ -202,4 +202,8 @@ _libusb= libusb .endif +.if ${MK_OPIE_SUPPORT} != "no" +_libopie= libopie +.endif + .include <bsd.subdir.mk> Index: lib/libpam/modules/modules.inc =================================================================== --- lib/libpam/modules/modules.inc (revision 238165) +++ lib/libpam/modules/modules.inc (working copy) @@ -17,8 +17,10 @@ MODULES += pam_lastlog MODULES += pam_login_access MODULES += pam_nologin +.if ${MK_OPIE_SUPPORT} != "no" MODULES += pam_opie MODULES += pam_opieaccess +.endif MODULES += pam_passwdqc MODULES += pam_permit MODULES += pam_radius Index: etc/Makefile =================================================================== --- etc/Makefile (revision 238165) +++ etc/Makefile (working copy) @@ -104,6 +104,9 @@ .if ${MK_SENDMAIL} != "no" MTREE+= BSD.sendmail.dist .endif +.if ${MK_OPIE_SUPPORT} != "no" +MTREE+= BSD.opie.dist +.endif .if ${MK_BIND} != "no" MTREE+= BIND.chroot.dist .if ${MK_BIND_LIBS} != "no" @@ -156,7 +159,8 @@ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 755 \ ${BIN2} ${DESTDIR}/etc; \ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \ - master.passwd nsmb.conf opieaccess ${DESTDIR}/etc; + master.passwd nsmb.conf ${DESTDIR}/etc; \ + .if ${MK_AT} == "no" sed -i "" -e 's;.*/usr/libexec/atrun;#&;' ${DESTDIR}/etc/crontab .endif @@ -203,6 +207,10 @@ cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \ ${SSL} ${DESTDIR}/etc/ssl .endif +.if ${MK_OPIE_SUPPORT} != "no" + cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \ + opieaccess ${DESTDIR}/etc +.endif .if ${MK_KERBEROS} != "no" cd ${.CURDIR}/root; \ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \ @@ -274,6 +282,9 @@ .if ${MK_SENDMAIL} != "no" mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.sendmail.dist -p ${DESTDIR}/ .endif +.if ${MK_OPIE_SUPPORT} != "no" + mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.opie.dist -p ${DESTDIR}/ +.endif cd ${DESTDIR}/; rm -f ${DESTDIR}/sys; ln -s usr/src/sys sys cd ${DESTDIR}/usr/share/man/en.ISO8859-1; ln -sf ../man* . cd ${DESTDIR}/usr/share/man/en.UTF-8; ln -sf ../man* . @@ -305,7 +316,7 @@ etc-examples: cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 \ - ${BIN1} ${BIN2} nsmb.conf opieaccess \ + ${BIN1} ${BIN2} nsmb.conf \ ${DESTDIR}/usr/share/examples/etc ${_+_}cd ${.CURDIR}/defaults; ${MAKE} install \ DESTDIR=${DESTDIR}/usr/share/examples Index: etc/mtree/BSD.var.dist =================================================================== --- etc/mtree/BSD.var.dist (revision 238165) +++ etc/mtree/BSD.var.dist (working copy) @@ -77,8 +77,6 @@ .. mqueue .. - opielocks mode=0700 - .. output lpd .. Index: etc/mtree/BSD.opie.dist =================================================================== --- etc/mtree/BSD.opie.dist (revision 0) +++ etc/mtree/BSD.opie.dist (revision 0) @@ -0,0 +1,15 @@ +# $FreeBSD$ +# +# Please see the file src/etc/mtree/README before making changes to this file. +# + +/set type=dir uname=root gname=wheel mode=0755 +. nochange + var nochange + spool nochange + opielocks gname=daemon mode=0700 + .. + .. + .. +.. + Index: etc/mtree/Makefile =================================================================== --- etc/mtree/Makefile (revision 238165) +++ etc/mtree/Makefile (working copy) @@ -10,6 +10,7 @@ BSD.usr.dist \ BSD.var.dist \ BSD.x11-4.dist \ + BSD.opie.dist \ BSD.x11.dist .if ${MK_BIND} != "no" Index: libexec/lukemftpd/Makefile =================================================================== --- libexec/lukemftpd/Makefile (revision 238165) +++ libexec/lukemftpd/Makefile (working copy) @@ -1,8 +1,6 @@ # @(#)Makefile 8.2 (Berkeley) 4/4/94 # $FreeBSD$ -.include <bsd.own.mk> - LUKEMFTPD= ${.CURDIR}/../../contrib/lukemftpd .PATH: ${LUKEMFTPD}/src ${LUKEMFTPD}/libnetbsd @@ -14,7 +12,7 @@ WFORMAT= 0 -.if ${MK_INET6_SUPPORT} != "no" +.if !defined(NO_INET6) CFLAGS+= -DINET6 .endif @@ -33,16 +31,22 @@ DPADD+= ${LIBM} LDADD+= -lm -CFLAGS+= -DUSE_OPIE -DLOGIN_CAP -DPADD+= ${LIBOPIE} ${LIBMD} -LDADD+= -lopie -lmd +CFLAGS+= -DLOGIN_CAP +DPADD+= ${LIBMD} +LDADD+= -lmd -.if ${MK_PAM_SUPPORT} != "no" +.if !defined(NO_PAM) CFLAGS+= -DUSE_PAM DPADD+= ${LIBPAM} LDADD+= ${MINUSLPAM} .endif +.if !defined(NO_OPIE) +CFLAGS+= -DUSE_OPIE +DPADD+= ${LIBOPIE} +LDADD+= -lopie +.endif + CLEANFILES+= ls-unmain.c ls-unmain.c: ls.c sed -e 's/^main(/ls_main(/g' -e 's,extern.h,${LSDIR}/extern.h,' \ @@ -58,3 +62,4 @@ .include <bsd.prog.mk> ${OBJS}: ${.CURDIR}/nbsd2fbsd.h + Index: libexec/ftpd/Makefile =================================================================== --- libexec/ftpd/Makefile (revision 238165) +++ libexec/ftpd/Makefile (working copy) @@ -17,8 +17,8 @@ LDADD= -lutil -lcrypt # XXX Kluge! Conversation mechanism needs to be fixed. -DPADD+= ${LIBOPIE} ${LIBMD} -LDADD+= -lopie -lmd +DPADD+= ${LIBMD} +LDADD+= -lmd LSDIR= ../../bin/ls .PATH: ${.CURDIR}/${LSDIR} @@ -33,8 +33,14 @@ .if ${MK_PAM_SUPPORT} != "no" CFLAGS+=-DUSE_PAM -DPADD+= ${LIBPAM} -LDADD+= ${MINUSLPAM} +DPADD+= ${LIBPAM} +LDADD+= ${MINUSLPAM} .endif +.if ${MK_OPIE_SUPPORT} != "no" +CFLAGS+= -DUSE_OPIE +DPADD+= ${LIBOPIE} +LDADD+= -lopie +.endif + .include <bsd.prog.mk> Index: libexec/ftpd/ftpd.c =================================================================== --- libexec/ftpd/ftpd.c (revision 238165) +++ libexec/ftpd/ftpd.c (working copy) @@ -79,7 +79,6 @@ #include <netdb.h> #include <pwd.h> #include <grp.h> -#include <opie.h> #include <signal.h> #include <stdint.h> #include <stdio.h> @@ -97,6 +96,10 @@ #include <security/pam_appl.h> #endif +#ifdef USE_OPIE +#include <opie.h> +#endif + #include "pathnames.h" #include "extern.h" @@ -105,6 +108,9 @@ static char version[] = "Version 6.00LS"; #undef main +extern off_t restart_point; +extern char cbuf[]; + union sockunion ctrl_addr; union sockunion data_source; union sockunion data_dest; @@ -181,8 +187,11 @@ pam_handle_t *pamh = NULL; #endif +#ifdef USE_OPIE static struct opie opiedata; static char opieprompt[OPIE_CHALLENGE_MAX+1]; +#endif + static int pwok; char *pid_file = NULL; /* means default location to pidfile(3) */ @@ -245,7 +254,7 @@ static void maskurg(int); static void flagxfer(int); static int myoob(void); -static int checkuser(char *, char *, int, char **); +static int checkuser(char *, char *, int, char **, int *); static FILE *dataconn(char *, off_t, char *); static void dolog(struct sockaddr *); static void end_login(void); @@ -998,6 +1007,7 @@ void user(char *name) { + int ecode; char *cp, *shell; if (logged_in) { @@ -1018,9 +1028,12 @@ pw = sgetpwnam("ftp"); #endif if (strcmp(name, "ftp") == 0 || strcmp(name, "anonymous") == 0) { - if (checkuser(_PATH_FTPUSERS, "ftp", 0, NULL) || - checkuser(_PATH_FTPUSERS, "anonymous", 0, NULL)) + if (checkuser(_PATH_FTPUSERS, "ftp", 0, NULL, &ecode) || + (ecode != 0 && ecode != ENOENT)) reply(530, "User %s access denied.", name); + else if (checkuser(_PATH_FTPUSERS, "anonymous", 0, NULL, &ecode) || + (ecode != 0 && ecode != ENOENT)) + reply(530, "User %s access denied.", name); else if (pw != NULL) { guest = 1; askpasswd = 1; @@ -1047,7 +1060,9 @@ break; endusershell(); - if (cp == NULL || checkuser(_PATH_FTPUSERS, name, 1, NULL)) { + if (cp == NULL || + (checkuser(_PATH_FTPUSERS, name, 1, NULL, &ecode) || + (ecode != 0 && ecode != ENOENT))) { reply(530, "User %s access denied.", name); if (logging) syslog(LOG_NOTICE, @@ -1064,13 +1079,18 @@ #ifdef USE_PAM /* XXX Kluge! The conversation mechanism needs to be fixed. */ #endif + +#ifdef USE_OPIE if (opiechallenge(&opiedata, name, opieprompt) == 0) { pwok = (pw != NULL) && opieaccessfile(remotehost) && opiealways(pw->pw_dir); reply(331, "Response to %s %s for %s.", opieprompt, pwok ? "requested" : "required", name); - } else { + } + else +#endif + { pwok = 1; reply(331, "Password required for %s.", name); } @@ -1089,13 +1109,15 @@ * of the matching line in "residue" if not NULL. */ static int -checkuser(char *fname, char *name, int pwset, char **residue) +checkuser(char *fname, char *name, int pwset, char **residue, int *ecode) { FILE *fd; int found = 0; size_t len; char *line, *mp, *p; + if (ecode != NULL) + *ecode = 0; if ((fd = fopen(fname, "r")) != NULL) { while (!found && (line = fgetln(fd, &len)) != NULL) { /* skip comments */ @@ -1164,7 +1186,8 @@ free(mp); } (void) fclose(fd); - } + } else if (ecode != NULL) + *ecode = errno; return (found); } @@ -1361,7 +1384,7 @@ void pass(char *passwd) { - int rval; + int rval, ecode; FILE *fd; #ifdef LOGIN_CAP login_cap_t *lc = NULL; @@ -1385,13 +1408,18 @@ #ifdef USE_PAM rval = auth_pam(&pw, passwd); if (rval >= 0) { +#ifdef USE_OPIE opieunlock(); +#endif goto skip; } #endif +#ifdef USE_OPIE if (opieverify(&opiedata, passwd) == 0) xpasswd = pw->pw_passwd; - else if (pwok) { + else +#endif + if (pwok) { xpasswd = crypt(passwd, pw->pw_passwd); if (passwd[0] == '\0' && pw->pw_passwd[0] != '\0') xpasswd = ":"; @@ -1492,11 +1520,21 @@ stats = 0; dochroot = - checkuser(_PATH_FTPCHROOT, pw->pw_name, 1, &residue) + checkuser(_PATH_FTPCHROOT, pw->pw_name, 1, &residue, &ecode) #ifdef LOGIN_CAP /* Allow login.conf configuration as well */ || login_getcapbool(lc, "ftp-chroot", 0) #endif ; + /* + * It is possible that checkuser() failed to open the chroot file. + * If this is the case, report that logins are un-available, since we + * have no way of checking whether or not the user should be chrooted. + * We ignore ENOENT since it is not required that this file be present. + */ + if (ecode != 0 && ecode != ENOENT) { + reply(530, "Login not available right now."); + return; + } chrootdir = NULL; /* * For a chrooted local user, @@ -1543,7 +1581,6 @@ reply(550, "Can't change root."); goto bad; } - __FreeBSD_libc_enter_restricted_mode(); } else /* real user w/o chroot */ homedir = pw->pw_dir; /* @@ -1874,12 +1911,20 @@ #ifdef TCP_NOPUSH /* * Turn off push flag to keep sender TCP from sending short packets - * at the boundaries of each write(). + * at the boundaries of each write(). Should probably do a SO_SNDBUF + * to set the send buffer size as well, but that may not be desirable + * in heavy-load situations. */ on = 1; if (setsockopt(s, IPPROTO_TCP, TCP_NOPUSH, &on, sizeof on) < 0) syslog(LOG_WARNING, "data setsockopt (TCP_NOPUSH): %m"); #endif +#ifdef SO_SNDBUF + on = 65536; + if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, &on, sizeof on) < 0) + syslog(LOG_WARNING, "data setsockopt (SO_SNDBUF): %m"); +#endif + return (fdopen(s, mode)); bad: /* Return the real value of errno (close may change it) */ @@ -3471,3 +3516,4 @@ } return(socks); } + >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201207061717.q66HHPgb096148>