Date: Fri, 26 Sep 2014 12:26:17 +0200 From: Dimitry Andric <dim@FreeBSD.org> To: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= <des@des.no> Cc: Gustau Perez <gustau.perez@gmail.com>, Tim Daneliuk <tundra@tundraware.com>, FreeBSD stable <freebsd-stable@freebsd.org>, Brandon Allbery <allbery.b@gmail.com> Subject: Re: 10.1 BETA2 World - Breaks saslauthd Message-ID: <1924A408-DD94-440E-87F5-DFDD74F07BB0@FreeBSD.org> In-Reply-To: <86ppeieu4t.fsf@nine.des.no> References: <b492e700f57a52e21f7755e6d01bd863.squirrel@www.tundraware.com> <3DA4B666-AB81-4F25-ABAE-DDC163F41E20@FreeBSD.org> <542430EB.1040804@tundraware.com> <CAKFCL4WX1gDJFLuJwvSKBX%2B0eKM4OwahXkDqEO84NqiY=eHDCw@mail.gmail.com> <86ppeieu4t.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_0F1984F4-B35A-4FF7-8A7D-40FD8F8EDBCD Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=iso-8859-1 On 26 Sep 2014, at 09:08, Dag-Erling Sm=F8rgrav <des@des.no> wrote: > Brandon Allbery <allbery.b@gmail.com> writes: >> To me the implication is that before the MFC, PAM had a potentially >> quite severe security issue involving either incorrect fallback to a >> default configuration or not correctly handling error returns from a >> PAM stack --- either of which could result in unauthorized users = being >> permitted access. >=20 > No, that's a different issue. This patch fixes a potential segfault > (see http://bugs.freebsd.org/83099). However, I have recevied reports > that gdm (amongst others) actually want to be able to call > pam_login_access without a host or tty. The following patch makes = that > possible: >=20 > Index: lib/libpam/modules/pam_login_access/pam_login_access.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- lib/libpam/modules/pam_login_access/pam_login_access.c = (revision 272101) > +++ lib/libpam/modules/pam_login_access/pam_login_access.c (working = copy) > @@ -94,8 +94,10 @@ > PAM_VERBOSE_ERROR("%s is not allowed to log in on %s", > user, tty); > } else { > - PAM_VERBOSE_ERROR("PAM_RHOST or PAM_TTY required"); > - return (PAM_AUTHINFO_UNAVAIL); > + PAM_LOG("Checking login.access for user %s", user); > + if (login_access(user, "***unknown***") !=3D 0) > + return (PAM_SUCCESS); > + PAM_VERBOSE_ERROR("%s is not allowed to log in", user); > } >=20 > return (PAM_AUTH_ERR); >=20 > Please test and report as soon as possible so I can get it into 10. It works for me. I even tried removing the /usr/local/etc/pam.d/smtpd file, restarting postfix and saslauthd, and it still worked: saslauthd[66602] :do_auth : auth success: [user=3Ddim] = [service=3Dsmtp] [realm=3D] [mech=3Dpam] saslauthd[66602] :do_request : response: OK saslauthd[66603] :get_accept_lock : acquired accept lock -Dimitry --Apple-Mail=_0F1984F4-B35A-4FF7-8A7D-40FD8F8EDBCD Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) iEYEARECAAYFAlQlP1IACgkQsF6jCi4glqNQbgCgzrtUrDCgO0mJVeUUkjqhrnqL LSsAoOYVyFA8/GF79ChEtQ7if05/KWbA =G89P -----END PGP SIGNATURE----- --Apple-Mail=_0F1984F4-B35A-4FF7-8A7D-40FD8F8EDBCD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1924A408-DD94-440E-87F5-DFDD74F07BB0>