From owner-freebsd-ports@FreeBSD.ORG Tue Jun 13 23:11:12 2006 Return-Path: X-Original-To: freebsd-ports@freebsd.org Delivered-To: freebsd-ports@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BD5BE16A479 for ; Tue, 13 Jun 2006 23:11:12 +0000 (UTC) (envelope-from tarc@tarc.po.cs.msu.su) Received: from tarc.po.cs.msu.su (tarc.po.cs.msu.su [158.250.16.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8C3C43D45 for ; Tue, 13 Jun 2006 23:11:11 +0000 (GMT) (envelope-from tarc@tarc.po.cs.msu.su) Received: from tarc.po.cs.msu.su (localhost [127.0.0.1]) by tarc.po.cs.msu.su (8.13.4/8.13.4) with ESMTP id k5DNDhs2042057; Wed, 14 Jun 2006 03:13:43 +0400 (MSD) (envelope-from tarc@tarc.po.cs.msu.su) Received: (from tarc@localhost) by tarc.po.cs.msu.su (8.13.4/8.13.4/Submit) id k5DNDg0C042056; Wed, 14 Jun 2006 03:13:42 +0400 (MSD) (envelope-from tarc) Date: Wed, 14 Jun 2006 03:13:40 +0400 From: Tarc To: Andrew Pantyukhin Message-ID: <20060613231340.GK22799@tarc.po.cs.msu.su> References: <20060613113151.GC8105@heechee.tobez.org> <200606131037.58401.amistry@am-productions.biz> <20060613180907.GI22799@tarc.po.cs.msu.su> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: mutt-ng/devel-r581 (FreeBSD) Cc: freebsd-ports@freebsd.org Subject: [xlockmore][PAM] Interest logs in debugging PAM X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jun 2006 23:11:12 -0000 On Tue, Jun 13, 2006 at 10:27:46PM +0400, Andrew Pantyukhin wrote: > >It's not a good idea. > >I use recently updated lockmore several years and I never > >have any problems > > Well, we are serious about security issues. In these cases > a couple of failures rule against a thousand of success > stories. I'm sure over 99% of security advisories have never > been exploited. Yet we avoid using software with security > flaws. > > τΑΛ ήΤΟ ΧΟΤ ΤΑΛ ;-) > ξΕ, ΤΑΛ ΞΕ ΠΟΚΔΕΤ ;-) *** DON'T KILL XLOCK WITH -KILL SIGNAL: after this your X11'll be unusable: Xlock will not restore ACL for your X11 DISPLAY *** About BADPAM ------------ There is all good with security issues. You can see the xlock/passwd.c file and find there code, which works with PAM. xlock returns EUID to real on any error. About GL/MesaGL modes --------------------- Please, try to run `xlock -nolock': xlock doesn't lock out your box with this switch. Debuging PAM ------------ I done following and get out some interest debug info 0) echo MAKEOBJDIRPREFIX=/usr/obj >> /etc/make.conf 1) cd ${PORTSDIR}/x11/xlockmore && make config configure *** I select WITH_PAM option to be on and BADPAM to be off *** 2) cd /usr/obj/`pwd`/work/xlockmore-5.22/xlock 3) apply following patch, go to ${PORTSDIR}/x11/xlockmore and say `make install' *** This patch enables debug messages in OPENPAM library(FreeBSD it uses) *** ----%<-----debug.openpam.patch- --- passwd.c.orig Thu Dec 15 15:39:51 2005 +++ passwd.c Wed Jun 14 02:20:22 2006 @@ -1165,6 +1165,7 @@ #else /* !DCE_PASSWD */ #ifdef USE_PAM + extern int _openpam_debug; /*- * Use PAM to do authentication. No session logging, only authentication. * Bail out if there are any errors. @@ -1191,6 +1192,7 @@ (void) seteuid(0); /* temporarily go to root so that pam can get shadow password */ #endif #ifdef DEBUG + _openpam_debug = 1; (void) printf("PAM: Before: UID (%d), EUID (%d)\n", getuid(), geteuid()); #endif PAM_password = buffer; ---->%-----debug.openpam.patch- 4) Becouse I don't have NIS at all, contents of my /etc/nsswitch.conf follows: *** system compilled & installed with WITHOUT_NIS option in /etc/src.conf *** ----%<-----nsswitch.conf- group: files hosts: files dns networks: files passwd: files shells: files services: files protocols: files rpc: files ---->%-----nsswitch.conf- 5) enable auth.debug logging by syslogd(8): ----%<-----syslog.conf.patch- --- /usr/src/etc/syslog.conf Tue May 30 03:26:02 2006 +++ syslog.conf Wed Jun 14 01:51:08 2006 @@ -9,6 +9,7 @@ *.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security auth.info;authpriv.info /var/log/auth.log +auth.* /var/log/auth.debug.log mail.info /var/log/maillog lpr.info /var/log/lpd-errs ftp.info /var/log/xferlog ---->%-----syslog.conf.patch- 6) run xlock, type _any_ text as password and see in system log for auth.debug (in my case /var/log/auth.debug.log) following: *** I killed xlock after "incorrect input". *** ----%<-----auth.debug.log- Jun 14 02:20:38 tarc xlock[2424]: Start: tarc, tarc, :1.0 Jun 14 02:20:42 tarc xlock[2424]: in openpam_read_chain(): /etc/pam.d/xlock: No such file or directory Jun 14 02:20:42 tarc xlock[2424]: in openpam_read_chain(): /etc/pam.conf: No such file or directory Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_unix.so: pam_sm_open_session(): Undefined symbol "pam_sm_open_session" Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_unix.so: pam_sm_close_session(): Undefined symbol "pam_sm_close_session" Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): using dynamic pam_unix.so Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): adding pam_unix.so to cache Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): using dynamic pam_echo.so Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): adding pam_echo.so to cache Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_login_access.so: pam_sm_authenticate(): Undefined symbol "pam_sm_authenticate" Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_login_access.so: pam_sm_setcred(): Undefined symbol "pam_sm_setcred" Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_login_access.so: pam_sm_open_session(): Undefined symbol "pam_sm_open_session" Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_login_access.so: pam_sm_close_session(): Undefined symbol "pam_sm_close_session" Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_login_access.so: pam_sm_chauthtok(): Undefined symbol "pam_sm_chauthtok" Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): using dynamic pam_login_access.so Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): adding pam_login_access.so to cache Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): using dynamic pam_permit.so Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): adding pam_permit.so to cache Jun 14 02:20:42 tarc xlock[2424]: in pam_start(): pam_start("xlock") succeeded Jun 14 02:20:42 tarc xlock[2424]: in pam_sm_authenticate(): Got user: tarc Jun 14 02:20:42 tarc xlock[2424]: in pam_sm_authenticate(): Doing real authentication Jun 14 02:20:42 tarc xlock[2424]: in pam_sm_authenticate(): Got password Jun 14 02:20:46 tarc xlock[2424]: in openpam_dispatch(): required module failed Jun 14 02:20:50 tarc xlock[2424]: in pam_sm_authenticate(): Got user: root Jun 14 02:20:50 tarc xlock[2424]: in pam_sm_authenticate(): Doing real authentication Jun 14 02:20:50 tarc xlock[2424]: in pam_sm_authenticate(): Got password Jun 14 02:20:54 tarc xlock[2424]: in openpam_dispatch(): required module failed Jun 14 02:20:58 tarc xlock[2424]: in openpam_release_module(): releasing pam_echo.so Jun 14 02:20:58 tarc xlock[2424]: in openpam_release_module(): releasing pam_unix.so Jun 14 02:20:58 tarc xlock[2424]: in openpam_release_module(): releasing pam_login_access.so Jun 14 02:20:58 tarc xlock[2424]: in openpam_release_module(): releasing pam_permit.so Jun 14 02:20:58 tarc xlock[2424]: xlock: failed unlock attempt on user tarc Jun 14 02:20:58 tarc xlock[2424]: Access control list restored. xlock: caught signal 15 while running qix mode (uid 1001). Jun 14 02:20:58 tarc xlock[2424]: Stop: tarc, tarc, :1.0, 0m 20s ---->%-----auth.debug.log- What does it mean? It mean, that in FreeBSD BADPAM needed. IMHO -- Best regards, Arseny Nasokin