From owner-freebsd-stable@FreeBSD.ORG Fri Sep 26 16:01:08 2014 Return-Path: Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 08E08D84; Fri, 26 Sep 2014 16:01:08 +0000 (UTC) Received: from citadel.icyb.net.ua (citadel.icyb.net.ua [212.40.38.140]) by mx1.freebsd.org (Postfix) with ESMTP id 15B8BEEB; Fri, 26 Sep 2014 16:01:05 +0000 (UTC) Received: from porto.starpoint.kiev.ua (porto-e.starpoint.kiev.ua [212.40.38.100]) by citadel.icyb.net.ua (8.8.8p3/ICyb-2.3exp) with ESMTP id SAA10870; Fri, 26 Sep 2014 18:57:17 +0300 (EEST) (envelope-from avg@FreeBSD.org) Received: from localhost ([127.0.0.1]) by porto.starpoint.kiev.ua with esmtp (Exim 4.34 (FreeBSD)) id 1XXXtV-000Nv5-9v; Fri, 26 Sep 2014 18:57:17 +0300 Message-ID: <54258C8B.90709@FreeBSD.org> Date: Fri, 26 Sep 2014 18:55:55 +0300 From: Andriy Gapon User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0 MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= Subject: Re: 10.1 BETA2 World - Breaks saslauthd References: <3DA4B666-AB81-4F25-ABAE-DDC163F41E20@FreeBSD.org> <542430EB.1040804@tundraware.com> <86ppeieu4t.fsf@nine.des.no> In-Reply-To: <86ppeieu4t.fsf@nine.des.no> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Cc: Dimitry Andric , FreeBSD stable X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Sep 2014 16:01:08 -0000 On 26/09/2014 10:08, Dag-Erling Smørgrav wrote: > Brandon Allbery writes: >> To me the implication is that before the MFC, PAM had a potentially >> quite severe security issue involving either incorrect fallback to a >> default configuration or not correctly handling error returns from a >> PAM stack --- either of which could result in unauthorized users being >> permitted access. > > No, that's a different issue. This patch fixes a potential segfault > (see http://bugs.freebsd.org/83099). However, I have recevied reports > that gdm (amongst others) actually want to be able to call > pam_login_access without a host or tty. The following patch makes that > possible: > > Index: lib/libpam/modules/pam_login_access/pam_login_access.c > =================================================================== > --- lib/libpam/modules/pam_login_access/pam_login_access.c (revision 272101) > +++ lib/libpam/modules/pam_login_access/pam_login_access.c (working copy) > @@ -94,8 +94,10 @@ > PAM_VERBOSE_ERROR("%s is not allowed to log in on %s", > user, tty); > } else { > - PAM_VERBOSE_ERROR("PAM_RHOST or PAM_TTY required"); > - return (PAM_AUTHINFO_UNAVAIL); > + PAM_LOG("Checking login.access for user %s", user); > + if (login_access(user, "***unknown***") != 0) > + return (PAM_SUCCESS); > + PAM_VERBOSE_ERROR("%s is not allowed to log in", user); > } > > return (PAM_AUTH_ERR); > > Please test and report as soon as possible so I can get it into 10. BTW, I think that chatted about this topic (no host, no tty) a long time ago and back then you suggested that PAM_IGNORE could be returned for that combination. I do not know much about PAM, so I can't evaluate neither the current code nor that hypothetical alternative. So, this is just a reminder about some old ideas. -- Andriy Gapon