Date: Fri, 26 Sep 2014 09:08:34 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Brandon Allbery <allbery.b@gmail.com> Cc: Gustau Perez <gustau.perez@gmail.com>, FreeBSD stable <freebsd-stable@freebsd.org>, Tim Daneliuk <tundra@tundraware.com>, Dimitry Andric <dim@freebsd.org> Subject: Re: 10.1 BETA2 World - Breaks saslauthd Message-ID: <86ppeieu4t.fsf@nine.des.no> In-Reply-To: <CAKFCL4WX1gDJFLuJwvSKBX%2B0eKM4OwahXkDqEO84NqiY=eHDCw@mail.gmail.com> (Brandon Allbery's message of "Thu, 25 Sep 2014 11:18:52 -0400") References: <b492e700f57a52e21f7755e6d01bd863.squirrel@www.tundraware.com> <3DA4B666-AB81-4F25-ABAE-DDC163F41E20@FreeBSD.org> <542430EB.1040804@tundraware.com> <CAKFCL4WX1gDJFLuJwvSKBX%2B0eKM4OwahXkDqEO84NqiY=eHDCw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Brandon Allbery <allbery.b@gmail.com> writes: > To me the implication is that before the MFC, PAM had a potentially > quite severe security issue involving either incorrect fallback to a > default configuration or not correctly handling error returns from a > PAM stack --- either of which could result in unauthorized users being > permitted access. No, that's a different issue. This patch fixes a potential segfault (see http://bugs.freebsd.org/83099). However, I have recevied reports that gdm (amongst others) actually want to be able to call pam_login_access without a host or tty. The following patch makes that possible: Index: lib/libpam/modules/pam_login_access/pam_login_access.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D --- lib/libpam/modules/pam_login_access/pam_login_access.c (revision 272101) +++ lib/libpam/modules/pam_login_access/pam_login_access.c (working copy) @@ -94,8 +94,10 @@ PAM_VERBOSE_ERROR("%s is not allowed to log in on %s", user, tty); } else { - PAM_VERBOSE_ERROR("PAM_RHOST or PAM_TTY required"); - return (PAM_AUTHINFO_UNAVAIL); + PAM_LOG("Checking login.access for user %s", user); + if (login_access(user, "***unknown***") !=3D 0) + return (PAM_SUCCESS); + PAM_VERBOSE_ERROR("%s is not allowed to log in", user); } =20 return (PAM_AUTH_ERR); Please test and report as soon as possible so I can get it into 10. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86ppeieu4t.fsf>