From owner-freebsd-security@FreeBSD.ORG Fri Mar 11 21:16:01 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DC9921065672 for ; Fri, 11 Mar 2011 21:16:01 +0000 (UTC) (envelope-from mbox@miguel.ramos.name) Received: from smtpauth.rollernet.us (smtpauth.rollernet.us [IPv6:2607:fe70:0:3::d]) by mx1.freebsd.org (Postfix) with ESMTP id 9F4DF8FC08 for ; Fri, 11 Mar 2011 21:16:01 +0000 (UTC) Received: from smtpauth.rollernet.us (localhost [127.0.0.1]) by smtpauth.rollernet.us (Postfix) with ESMTP id 462DA594010; Fri, 11 Mar 2011 13:15:50 -0800 (PST) Received: from w500.local (a83-132-6-167.cpe.netcabo.pt [83.132.6.167]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: @miguel.ramos.name) by smtpauth.rollernet.us (Postfix) with ESMTPSA; Fri, 11 Mar 2011 13:15:48 -0800 (PST) Received: from w500.local (w500.local [127.0.0.1]) by w500.local (8.14.4/8.14.4) with ESMTP id p2BLFZDc031233; Fri, 11 Mar 2011 21:15:35 GMT Received: (from miguel@localhost) by w500.local (8.14.4/8.14.4/Submit) id p2BLFXRk031231; Fri, 11 Mar 2011 21:15:33 GMT X-Authentication-Warning: w500.local: miguel set sender to mbox@miguel.ramos.name using -f From: Miguel Lopes Santos Ramos To: Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?= In-Reply-To: <1299838652.24241.1.camel@w500.local> References: <1299682310.17149.24.camel@w500.local> <86aah2yopr.fsf@ds4.des.no> <1299838652.24241.1.camel@w500.local> Content-Type: multipart/mixed; boundary="=-n11d+Dm0OfqZv4/Rwqg8" Date: Fri, 11 Mar 2011 21:15:33 +0000 Message-ID: <1299878133.29931.14.camel@w500.local> Mime-Version: 1.0 X-Mailer: Evolution 2.32.2 X-Rollernet-Abuse: Processed by Roller Network Mail Services. Contact abuse@rollernet.us to report violations. Abuse policy: http://rollernet.us/abuse.php X-Rollernet-Submit: Submit ID ba0.4d7a9104.d9553.0 Cc: freebsd-security@freebsd.org Subject: Re: It's not possible to allow non-OPIE logins only from trusted networks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Mar 2011 21:16:01 -0000 --=-n11d+Dm0OfqZv4/Rwqg8 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Here's a scratch. I added an option, called "require_trusted", which enforces the trusted network check even for users which do not have OPIE enabled. If this option is not used, behaviour is unchanged. The name "require_trusted" is catchy and compeling to use. However, if it was used in default configuration files, login would be impossible (unless there was a default opieaccess file which permitted everything, but that is bit forcing OPIE stuff on people and it's not worth it).=20 Here's three of the scratches I made, - I first tried to change as few lines as reasonable, that's pam_opieaccess_mindiff.c, but that made the code look less regular: instead of two ifs leading to return PAM_SUCCESS, now there was a third returning failure, so, - as an attempt to avoid that, I used a nested if, pam_opieaccess_nestedif.c, - then I tried to factor things out, and the best way seemed to be negating everything. I still scratched a bit more, but it started looking like much ado about nothing. Sex, 2011-03-11 =C3=A0s 10:17 +0000, Miguel Lopes Santos Ramos escreveu: > Sex, 2011-03-11 =C3=A0s 10:46 +0100, Dag-Erling Sm=C3=B8rgrav escreveu: > > Miguel Lopes Santos Ramos writes: > > > 1. The user does not have OPIE enabled and the remote host is listed = as > > > a trusted host in /etc/opieaccess. > > > 2. The user has OPIE enabled and the remote host is listed as a trust= ed > > > host in /etc/opieaccess, and the user does not have a file > > > named .opiealways in his home directory. > > > > > > Or at least this should be an option for pam_opieaccess. > >=20 > > Seems like a good idea, at first blush (provided it's optional). Do yo= u > > have a patch? > >=20 > > DES >=20 > I will make a scratch. I'll submit it to the list on the weekend. >=20 --=20 Miguel Ramos PGP A006A14C --=-n11d+Dm0OfqZv4/Rwqg8 Content-Disposition: attachment; filename="pam_opieaccess.8.diff" Content-Type: text/x-patch; name="pam_opieaccess.8.diff"; charset="UTF-8" Content-Transfer-Encoding: base64 LS0tIHBhbV9vcGllYWNjZXNzLjgub3JpZwkyMDExLTAzLTExIDIwOjI1OjAzLjAwMDAwMDAwMCAr MDAwMA0KKysrIHBhbV9vcGllYWNjZXNzLjgJMjAxMS0wMy0xMSAyMDozMjowMy4wMDAwMDAwMDAg KzAwMDANCkBAIC05Niw3ICs5NiwxMiBAQA0KIC5EdiBQQU1fQVVUSF9FUlIgLg0KIC5QcA0KIFRo ZSBmb2xsb3dpbmcgb3B0aW9ucyBtYXkgYmUgcGFzc2VkIHRvIHRoZSBhdXRoZW50aWNhdGlvbiBt b2R1bGU6DQotLkJsIC10YWcgLXdpZHRoICIuQ20gYWxsb3dfbG9jYWwiDQorLkJsIC10YWcgLXdp ZHRoICIuQ20gcmVxdWlyZV90cnVzdGVkIg0KKy5JdCBDbSByZXF1aXJlX3RydXN0ZWQNCitOb3Jt YWxseSwgYSBsb2dpbiBmb3IgYSB1c2VyIHdoaWNoIGRvZXMgbm90IGhhdmUgT1BJRSBlbmFibGVk IGlzDQorYWxsb3dlZCB0aHJvdWdoIHRoaXMgbW9kdWxlLg0KK1RoaXMgb3B0aW9uLCBjYXVzZXMg dGhlIHRydXN0ZWQgaG9zdCBjaGVjayB0byBiZSBlbmZvcmNlZCBldmVuIGZvcg0KK3VzZXJzIHdo aWNoIGRvIG5vdCBoYXZlIE9QSUUgZW5hYmxlZC4NCiAuSXQgQ20gYWxsb3dfbG9jYWwNCiBOb3Jt YWxseSwgbG9jYWwgbG9naW5zIGFyZSBzdWJqZWN0ZWQgdG8gdGhlIHNhbWUgcmVzdHJpY3Rpb25z IGFzDQogcmVtb3RlIGxvZ2lucyBmcm9tDQo= --=-n11d+Dm0OfqZv4/Rwqg8 Content-Disposition: attachment; filename="pam_opieaccess_favorite.diff" Content-Type: text/x-patch; name="pam_opieaccess_favorite.diff"; charset="UTF-8" Content-Transfer-Encoding: base64 LS0tIHBhbV9vcGllYWNjZXNzLmMJMjAxMS0wMy0xMSAyMDoyMjo0Mi4wMDAwMDAwMDAgKzAwMDAN CisrKyBwYW1fb3BpZWFjY2Vzc19mYXZvcml0ZS5jCTIwMTEtMDMtMTEgMjA6MTg6MDYuMDAwMDAw MDAwICswMDAwDQpAQCAtNTYsNyArNTYsMTAgQEANCiAJc3RydWN0IG9waWUgb3BpZTsNCiAJc3Ry dWN0IHBhc3N3ZCAqcHdlbnQ7DQogCWNvbnN0IHZvaWQgKmx1c2VyLCAqcmhvc3Q7DQotCWludCBy Ow0KKwlpbnQgciwgYWxsb3dfbG9jYWwsIHJlcXVpcmVfdHJ1c3RlZCwgb3BpZV91c2VyOw0KKw0K KwlhbGxvd19sb2NhbCA9IG9wZW5wYW1fZ2V0X29wdGlvbihwYW1oLCAiYWxsb3dfbG9jYWwiKSAh PSAwOw0KKwlyZXF1aXJlX3RydXN0ZWQgPSBvcGVucGFtX2dldF9vcHRpb24ocGFtaCwgInJlcXVp cmVfdHJ1c3RlZCIpICE9IDA7DQogDQogCXIgPSBwYW1fZ2V0X2l0ZW0ocGFtaCwgUEFNX1VTRVIs ICZsdXNlcik7DQogCWlmIChyICE9IFBBTV9TVUNDRVNTKQ0KQEAgLTY0LDI0ICs2NywzMSBAQA0K IAlpZiAobHVzZXIgPT0gTlVMTCkNCiAJCXJldHVybiAoUEFNX1NFUlZJQ0VfRVJSKTsNCiANCi0J cHdlbnQgPSBnZXRwd25hbShsdXNlcik7DQotCWlmIChwd2VudCA9PSBOVUxMIHx8IG9waWVsb29r dXAoJm9waWUsIF9fREVDT05TVChjaGFyICosIGx1c2VyKSkgIT0gMCkNCi0JCXJldHVybiAoUEFN X1NVQ0NFU1MpOw0KLQ0KIAlyID0gcGFtX2dldF9pdGVtKHBhbWgsIFBBTV9SSE9TVCwgJnJob3N0 KTsNCiAJaWYgKHIgIT0gUEFNX1NVQ0NFU1MpDQogCQlyZXR1cm4gKHIpOw0KIAlpZiAocmhvc3Qg PT0gTlVMTCB8fCAqKGNvbnN0IGNoYXIgKilyaG9zdCA9PSAnXDAnKQ0KLQkJcmhvc3QgPSBvcGVu cGFtX2dldF9vcHRpb24ocGFtaCwgImFsbG93X2xvY2FsIikgPw0KLQkJICAgICIiIDogImxvY2Fs aG9zdCI7DQorCQlyaG9zdCA9IGFsbG93X2xvY2FsID8gIiIgOiAibG9jYWxob3N0IjsNCiANCi0J aWYgKG9waWVhY2Nlc3NmaWxlKF9fREVDT05TVChjaGFyICosIHJob3N0KSkgIT0gMCAmJg0KLQkg ICAgb3BpZWFsd2F5cyhwd2VudC0+cHdfZGlyKSAhPSAwKQ0KLQkJcmV0dXJuIChQQU1fU1VDQ0VT Uyk7DQorCWlmIChyZXF1aXJlX3RydXN0ZWQgJiYgb3BpZWFjY2Vzc2ZpbGUoX19ERUNPTlNUKGNo YXIqLCByaG9zdCkpID09IDApIHsNCisJCVBBTV9WRVJCT1NFX0VSUk9SKCJSZWZ1c2VkOyByZW1v dGUgaG9zdCBpcyBub3QgaW4gb3BpZWFjY2VzcyIpOw0KKwkJcmV0dXJuIChQQU1fQVVUSF9FUlIp Ow0KKwl9DQogDQotCVBBTV9WRVJCT1NFX0VSUk9SKCJSZWZ1c2VkOyByZW1vdGUgaG9zdCBpcyBu b3QgaW4gb3BpZWFjY2VzcyIpOw0KKwlwd2VudCA9IGdldHB3bmFtKGx1c2VyKTsNCisJb3BpZV91 c2VyID0gb3BpZWxvb2t1cCgmb3BpZSwgX19ERUNPTlNUKGNoYXIqLCBsdXNlcikpID09IDA7DQor DQorCWlmIChvcGllX3VzZXIgJiYgcHdlbnQgIT0gTlVMTCAmJiBvcGllYWx3YXlzKHB3ZW50LT5w d19kaXIpID09IDApIHsNCisJCVBBTV9WRVJCT1NFX0VSUk9SKCJSZWZ1c2VkOyB1c2VyIG11c3Qg dXNlIE9QSUUiKTsNCisJCXJldHVybiAoUEFNX0FVVEhfRVJSKTsNCisJfQ0KKw0KKwlpZiAoIXJl cXVpcmVfdHJ1c3RlZCAmJiBvcGllX3VzZXIgJiYgb3BpZWFjY2Vzc2ZpbGUoX19ERUNPTlNUKGNo YXIqLCByaG9zdCkpID09IDApIHsNCisJCVBBTV9WRVJCT1NFX0VSUk9SKCJSZWZ1c2VkOyByZW1v dGUgaG9zdCBpcyBub3QgaW4gb3BpZWFjY2VzcyIpOw0KKwkJcmV0dXJuIChQQU1fQVVUSF9FUlIp Ow0KKwl9DQogDQotCXJldHVybiAoUEFNX0FVVEhfRVJSKTsNCisJcmV0dXJuIChQQU1fU1VDQ0VT Uyk7DQogfQ0KIA0KIFBBTV9FWFRFUk4gaW50DQo= --=-n11d+Dm0OfqZv4/Rwqg8 Content-Disposition: attachment; filename="pam_opieaccess_mindiff.diff" Content-Type: text/x-patch; name="pam_opieaccess_mindiff.diff"; charset="UTF-8" Content-Transfer-Encoding: base64 LS0tIHBhbV9vcGllYWNjZXNzLmMJMjAxMS0wMy0xMSAyMDoyMjo0Mi4wMDAwMDAwMDAgKzAwMDAN CisrKyBwYW1fb3BpZWFjY2Vzc19taW5kaWZmLmMJMjAxMS0wMy0xMSAxOTowNzoxOS4zMTIyNDMw MDAgKzAwMDANCkBAIC02NCwxMCArNjQsNiBAQA0KIAlpZiAobHVzZXIgPT0gTlVMTCkNCiAJCXJl dHVybiAoUEFNX1NFUlZJQ0VfRVJSKTsNCiANCi0JcHdlbnQgPSBnZXRwd25hbShsdXNlcik7DQot CWlmIChwd2VudCA9PSBOVUxMIHx8IG9waWVsb29rdXAoJm9waWUsIF9fREVDT05TVChjaGFyICos IGx1c2VyKSkgIT0gMCkNCi0JCXJldHVybiAoUEFNX1NVQ0NFU1MpOw0KLQ0KIAlyID0gcGFtX2dl dF9pdGVtKHBhbWgsIFBBTV9SSE9TVCwgJnJob3N0KTsNCiAJaWYgKHIgIT0gUEFNX1NVQ0NFU1Mp DQogCQlyZXR1cm4gKHIpOw0KQEAgLTc1LDYgKzcxLDE0IEBADQogCQlyaG9zdCA9IG9wZW5wYW1f Z2V0X29wdGlvbihwYW1oLCAiYWxsb3dfbG9jYWwiKSA/DQogCQkgICAgIiIgOiAibG9jYWxob3N0 IjsNCiANCisJaWYgKG9wZW5wYW1fZ2V0X29wdGlvbihwYW1oLCAicmVxdWlyZV90cnVzdGVkIikg JiYNCisJICAgIG9waWVhY2Nlc3NmaWxlKF9fREVDT05TVChjaGFyKiwgcmhvc3QpKSA9PSAwKQ0K KwkJcmV0dXJuIChQQU1fQVVUSF9FUlIpOw0KKw0KKwlwd2VudCA9IGdldHB3bmFtKGx1c2VyKTsN CisJaWYgKHB3ZW50ID09IE5VTEwgfHwgb3BpZWxvb2t1cCgmb3BpZSwgX19ERUNPTlNUKGNoYXIg KiwgbHVzZXIpKSAhPSAwKQ0KKwkJcmV0dXJuIChQQU1fU1VDQ0VTUyk7DQorDQogCWlmIChvcGll YWNjZXNzZmlsZShfX0RFQ09OU1QoY2hhciAqLCByaG9zdCkpICE9IDAgJiYNCiAJICAgIG9waWVh bHdheXMocHdlbnQtPnB3X2RpcikgIT0gMCkNCiAJCXJldHVybiAoUEFNX1NVQ0NFU1MpOw0K --=-n11d+Dm0OfqZv4/Rwqg8 Content-Disposition: attachment; filename="pam_opieaccess_nestedif.diff" Content-Type: text/x-patch; name="pam_opieaccess_nestedif.diff"; charset="UTF-8" Content-Transfer-Encoding: base64 LS0tIHBhbV9vcGllYWNjZXNzLmMJMjAxMS0wMy0xMSAyMDoyMjo0Mi4wMDAwMDAwMDAgKzAwMDAN CisrKyBwYW1fb3BpZWFjY2Vzc19uZXN0ZWRpZi5jCTIwMTEtMDMtMTEgMTk6MjE6NTcuMDAwMDAw MDAwICswMDAwDQpAQCAtNjQsMTAgKzY0LDYgQEANCiAJaWYgKGx1c2VyID09IE5VTEwpDQogCQly ZXR1cm4gKFBBTV9TRVJWSUNFX0VSUik7DQogDQotCXB3ZW50ID0gZ2V0cHduYW0obHVzZXIpOw0K LQlpZiAocHdlbnQgPT0gTlVMTCB8fCBvcGllbG9va3VwKCZvcGllLCBfX0RFQ09OU1QoY2hhciAq LCBsdXNlcikpICE9IDApDQotCQlyZXR1cm4gKFBBTV9TVUNDRVNTKTsNCi0NCiAJciA9IHBhbV9n ZXRfaXRlbShwYW1oLCBQQU1fUkhPU1QsICZyaG9zdCk7DQogCWlmIChyICE9IFBBTV9TVUNDRVNT KQ0KIAkJcmV0dXJuIChyKTsNCkBAIC03NSw5ICs3MSwxNiBAQA0KIAkJcmhvc3QgPSBvcGVucGFt X2dldF9vcHRpb24ocGFtaCwgImFsbG93X2xvY2FsIikgPw0KIAkJICAgICIiIDogImxvY2FsaG9z dCI7DQogDQotCWlmIChvcGllYWNjZXNzZmlsZShfX0RFQ09OU1QoY2hhciAqLCByaG9zdCkpICE9 IDAgJiYNCi0JICAgIG9waWVhbHdheXMocHdlbnQtPnB3X2RpcikgIT0gMCkNCi0JCXJldHVybiAo UEFNX1NVQ0NFU1MpOw0KKwlpZiAoIW9wZW5wYW1fZ2V0X29wdGlvbihwYW1oLCAicmVxdWlyZV90 cnVzdGVkIikgfHwNCisJICAgIG9waWVhY2Nlc3NmaWxlKF9fREVDT05TVChjaGFyKiwgcmhvc3Qp KSAhPSAwKSB7DQorCQlwd2VudCA9IGdldHB3bmFtKGx1c2VyKTsNCisJCWlmIChwd2VudCA9PSBO VUxMIHx8IG9waWVsb29rdXAoJm9waWUsIF9fREVDT05TVChjaGFyICosIGx1c2VyKSkgIT0gMCkN CisJCQlyZXR1cm4gKFBBTV9TVUNDRVNTKTsNCisNCisJCWlmIChvcGllYWNjZXNzZmlsZShfX0RF Q09OU1QoY2hhciAqLCByaG9zdCkpICE9IDAgJiYNCisJCSAgICBvcGllYWx3YXlzKHB3ZW50LT5w d19kaXIpICE9IDApDQorCQkJcmV0dXJuIChQQU1fU1VDQ0VTUyk7DQorCX0NCiANCiAJUEFNX1ZF UkJPU0VfRVJST1IoIlJlZnVzZWQ7IHJlbW90ZSBob3N0IGlzIG5vdCBpbiBvcGllYWNjZXNzIik7 DQogDQo= --=-n11d+Dm0OfqZv4/Rwqg8--