From owner-freebsd-security  Fri Jan 26  5:40:50 2001
Delivered-To: freebsd-security@freebsd.org
Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32])
	by hub.freebsd.org (Postfix) with ESMTP id 16EB337B400
	for <freebsd-security@freebsd.org>; Fri, 26 Jan 2001 05:40:30 -0800 (PST)
Received: by jenkins.web.us.uu.net (Postfix, from userid 515)
	id 6323412685; Fri, 26 Jan 2001 08:40:29 -0500 (EST)
From: "David J. MacKenzie" <djm@web.us.uu.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <14961.32333.212703.615370@jenkins.web.us.uu.net>
Date: Fri, 26 Jan 2001 08:40:29 -0500 (EST)
To: freebsd-security@freebsd.org
Subject: full PAM support patch for ftpd and fix for login
X-Mailer: VM 6.62 under Emacs 19.34.1
X-Quote: 
   It's a good thing we have gravity or else when birds died they'd just
   stay right up there.  Hunters would be all confused. -- Stephen Wright
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

My full PAM support patch for login mishandles some return values,
for which my fix is:

--- login.c	2001/01/23 23:15:29	1.10
+++ login.c	2001/01/26 13:36:49
@@ -790,20 +790,20 @@
 		break;
 	}
 
-	if (rval != -1) {
+	if (rval == 0) {
 		e = pam_acct_mgmt(pamh, 0);
 		if (e == PAM_NEW_AUTHTOK_REQD) {
 			e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
 			if (e != PAM_SUCCESS) {
 				syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, e));
-				rval = -1;
+				rval = 1;
 			}
 		} else if (e != PAM_SUCCESS) {
 			rval = 1;
 		}
 	}
 
-	if (rval == -1) {
+	if (rval != 0) {
 		if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
 			syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
 		}

which I discovered while adapting that patch to ftpd:

--- ./Makefile	2001/01/26 13:12:30	1.1
+++ ./Makefile	2001/01/26 13:12:43
@@ -18,9 +18,8 @@
 SRCS+=	ls.c cmp.c print.c util.c
 CFLAGS+=-Dmain=ls_main -I${.CURDIR}/${LSDIR}
 
-.if defined(NOPAM)
-CFLAGS+=-DNOPAM
-.else
+.if !defined(NOPAM)
+CFLAGS+=-DUSE_PAM
 DPADD+= ${LIBPAM}
 LDADD+= ${MINUSLPAM}
 .endif
--- ./ftpd.c	2001/01/25 22:09:55	1.1
+++ ./ftpd.c	2001/01/26 13:37:17
@@ -94,7 +94,7 @@
 #include <skey.h>
 #endif
 
-#if !defined(NOPAM)
+#ifdef USE_PAM
 #include <security/pam_appl.h>
 #endif
 
@@ -179,8 +179,9 @@
 static char ttyline[20];
 char	*tty = ttyline;		/* for klogin */
 
-#if !defined(NOPAM)
+#ifdef USE_PAM
 static int	auth_pam __P((struct passwd**, const char*));
+pam_handle_t *pamh = NULL;
 #endif
 
 char	*pid_file = NULL;
@@ -1015,6 +1016,9 @@
 static void
 end_login()
 {
+#ifdef USE_PAM
+	int e;
+#endif
 
 	(void) seteuid((uid_t)0);
 	if (logged_in)
@@ -1024,12 +1028,21 @@
 	setusercontext(NULL, getpwuid(0), (uid_t)0,
 		       LOGIN_SETPRIORITY|LOGIN_SETRESOURCES|LOGIN_SETUMASK);
 #endif
+#ifdef USE_PAM
+	if ((e = pam_setcred(pamh, PAM_DELETE_CRED)) != PAM_SUCCESS)
+		syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e));
+	if ((e = pam_close_session(pamh,0)) != PAM_SUCCESS)
+		syslog(LOG_ERR, "pam_close_session: %s", pam_strerror(pamh, e));
+	if ((e = pam_end(pamh, e)) != PAM_SUCCESS)
+		syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
+	pamh = NULL;
+#endif
 	logged_in = 0;
 	guest = 0;
 	dochroot = 0;
 }
 
-#if !defined(NOPAM)
+#ifdef USE_PAM
 
 /*
  * the following code is stolen from imap-uw PAM authentication module and
@@ -1148,19 +1161,34 @@
 		break;
 
 	default:
-		syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e));
+		syslog(LOG_ERR, "pam_authenticate: %s", pam_strerror(pamh, e));
 		rval = -1;
 		break;
 	}
 
-	if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
-		syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
-		rval = -1;
+	if (rval == 0) {
+		e = pam_acct_mgmt(pamh, 0);
+		if (e == PAM_NEW_AUTHTOK_REQD) {
+			e = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+			if (e != PAM_SUCCESS) {
+				syslog(LOG_ERR, "pam_chauthtok: %s", pam_strerror(pamh, e));
+				rval = 1;
+			}
+		} else if (e != PAM_SUCCESS) {
+			rval = 1;
+		}
+	}
+
+	if (rval != 0) {
+		if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
+			syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
+		}
+		pamh = NULL;
 	}
 	return rval;
 }
 
-#endif /* !defined(NOPAM) */
+#endif /* USE_PAM */
 
 void
 pass(passwd)
@@ -1171,6 +1199,9 @@
 #ifdef	LOGIN_CAP
 	login_cap_t *lc = NULL;
 #endif
+#ifdef USE_PAM
+	int e;
+#endif
 
 	if (logged_in || askpasswd == 0) {
 		reply(503, "Login with USER first.");
@@ -1182,7 +1213,7 @@
 			rval = 1;	/* failure below */
 			goto skip;
 		}
-#if !defined(NOPAM)
+#ifdef USE_PAM
 		rval = auth_pam(&pw, passwd);
 		if (rval >= 0)
 			goto skip;
@@ -1261,6 +1292,16 @@
 #else
 	setlogin(pw->pw_name);
 	(void) initgroups(pw->pw_name, pw->pw_gid);
+#endif
+
+#ifdef USE_PAM
+	if (pamh) {
+		if ((e = pam_open_session(pamh, 0)) != PAM_SUCCESS) {
+			syslog(LOG_ERR, "pam_open_session: %s", pam_strerror(pamh, e));
+		} else if ((e = pam_setcred(pamh, PAM_ESTABLISH_CRED)) != PAM_SUCCESS) {
+			syslog(LOG_ERR, "pam_setcred: %s", pam_strerror(pamh, e));
+		}
+	}
 #endif
 
 	/* open wtmp before chroot */


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message