Date: Fri, 26 Jan 2001 08:40:29 -0500 (EST) From: "David J. MacKenzie" <djm@web.us.uu.net> To: freebsd-security@freebsd.org Subject: full PAM support patch for ftpd and fix for login Message-ID: <14961.32333.212703.615370@jenkins.web.us.uu.net>
next in thread | raw e-mail | index | archive | help
My full PAM support patch for login mishandles some return values,
for which my fix is:
--- login.c 2001/01/23 23:15:29 1.10
+++ login.c 2001/01/26 13:36:49
@@ -790,20 +790,20 @@
break;
}
- if (rval != -1) {
+ if (rval == 0) {
e = pam_acct_mgmt(pamh, 0);
if (e == PAM_NEW_AUTHTOK_REQD) {
e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
if (e != PAM_SUCCESS) {
syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, e));
- rval = -1;
+ rval = 1;
}
} else if (e != PAM_SUCCESS) {
rval = 1;
}
}
- if (rval == -1) {
+ if (rval != 0) {
if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
}
which I discovered while adapting that patch to ftpd:
--- ./Makefile 2001/01/26 13:12:30 1.1
+++ ./Makefile 2001/01/26 13:12:43
@@ -18,9 +18,8 @@
SRCS+= ls.c cmp.c print.c util.c
CFLAGS+=-Dmain=ls_main -I${.CURDIR}/${LSDIR}
-.if defined(NOPAM)
-CFLAGS+=-DNOPAM
-.else
+.if !defined(NOPAM)
+CFLAGS+=-DUSE_PAM
DPADD+= ${LIBPAM}
LDADD+= ${MINUSLPAM}
.endif
--- ./ftpd.c 2001/01/25 22:09:55 1.1
+++ ./ftpd.c 2001/01/26 13:37:17
@@ -94,7 +94,7 @@
#include <skey.h>
#endif
-#if !defined(NOPAM)
+#ifdef USE_PAM
#include <security/pam_appl.h>
#endif
@@ -179,8 +179,9 @@
static char ttyline[20];
char *tty = ttyline; /* for klogin */
-#if !defined(NOPAM)
+#ifdef USE_PAM
static int auth_pam __P((struct passwd**, const char*));
+pam_handle_t *pamh = NULL;
#endif
char *pid_file = NULL;
@@ -1015,6 +1016,9 @@
static void
end_login()
{
+#ifdef USE_PAM
+ int e;
+#endif
(void) seteuid((uid_t)0);
if (logged_in)
@@ -1024,12 +1028,21 @@
setusercontext(NULL, getpwuid(0), (uid_t)0,
LOGIN_SETPRIORITY|LOGIN_SETRESOURCES|LOGIN_SETUMASK);
#endif
+#ifdef USE_PAM
+ if ((e = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS)
+ syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e));
+ if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS)
+ syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e));
+ if ((e = pam_end(pamh, e)) != PAM_SUCCESS)
+ syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
+ pamh = NULL;
+#endif
logged_in = 0;
guest = 0;
dochroot = 0;
}
-#if !defined(NOPAM)
+#ifdef USE_PAM
/*
* the following code is stolen from imap-uw PAM authentication module and
@@ -1148,19 +1161,34 @@
break;
default:
- syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e));
+ syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, e));
rval = -1;
break;
}
- if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
- syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
- rval = -1;
+ if (rval == 0) {
+ e = pam_acct_mgmt(pamh, 0);
+ if (e == PAM_NEW_AUTHTOK_REQD) {
+ e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+ if (e != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, e));
+ rval = 1;
+ }
+ } else if (e != PAM_SUCCESS) {
+ rval = 1;
+ }
+ }
+
+ if (rval != 0) {
+ if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
+ }
+ pamh = NULL;
}
return rval;
}
-#endif /* !defined(NOPAM) */
+#endif /* USE_PAM */
void
pass(passwd)
@@ -1171,6 +1199,9 @@
#ifdef LOGIN_CAP
login_cap_t *lc = NULL;
#endif
+#ifdef USE_PAM
+ int e;
+#endif
if (logged_in || askpasswd == 0) {
reply(503, "Login with USER first.");
@@ -1182,7 +1213,7 @@
rval = 1; /* failure below */
goto skip;
}
-#if !defined(NOPAM)
+#ifdef USE_PAM
rval = auth_pam(&pw, passwd);
if (rval >= 0)
goto skip;
@@ -1261,6 +1292,16 @@
#else
setlogin(pw->pw_name);
(void) initgroups(pw->pw_name, pw->pw_gid);
+#endif
+
+#ifdef USE_PAM
+ if (pamh) {
+ if ((e = pam_open_session(pamh, 0)) != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, e));
+ } else if ((e = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
+ syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e));
+ }
+ }
#endif
/* open wtmp before chroot */
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?14961.32333.212703.615370>