From owner-freebsd-bugs@FreeBSD.ORG Fri Jul 6 13:30:12 2012 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9324B106564A for ; Fri, 6 Jul 2012 13:30:12 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6780B8FC12 for ; Fri, 6 Jul 2012 13:30:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id q66DUCxV000157 for ; Fri, 6 Jul 2012 13:30:12 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id q66DUCWH000153; Fri, 6 Jul 2012 13:30:12 GMT (envelope-from gnats) Resent-Date: Fri, 6 Jul 2012 13:30:12 GMT Resent-Message-Id: <201207061330.q66DUCWH000153@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Zak Blacher Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CF459106564A for ; Fri, 6 Jul 2012 13:25:43 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id B96888FC15 for ; Fri, 6 Jul 2012 13:25:43 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q66DPhQP017469 for ; Fri, 6 Jul 2012 13:25:43 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id q66DPhgo017467; Fri, 6 Jul 2012 13:25:43 GMT (envelope-from nobody) Message-Id: <201207061325.q66DPhgo017467@red.freebsd.org> Date: Fri, 6 Jul 2012 13:25:43 GMT From: Zak Blacher To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: misc/169681: Made OPIE support tunable at kernel level X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 06 Jul 2012 13:30:12 -0000 >Number: 169681 >Category: misc >Synopsis: Made OPIE support tunable at kernel level >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Jul 06 13:30:12 UTC 2012 >Closed-Date: >Last-Modified: >Originator: Zak Blacher >Release: releng_9 >Organization: Sandvine Corporation >Environment: >Description: re: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 Added option to completely remove opie related libraries and executables. >How-To-Repeat: >Fix: Patch attached with submission follows: Index: usr.bin/telnet/Makefile =================================================================== --- usr.bin/telnet/Makefile (revision 238117) +++ usr.bin/telnet/Makefile (working copy) @@ -10,7 +10,7 @@ SRCS= commands.c main.c network.c ring.c sys_bsd.c \ telnet.c terminal.c utilities.c -CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK -DOPIE \ +CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK \ -I${TELNETDIR} -I${TELNETDIR}/libtelnet/ .if ${MK_INET6_SUPPORT} != "no" @@ -49,4 +49,8 @@ .endif .endif +.if ${MK_OPIE_SUPPORT} != "no" +CFLAGS+= -DOPIE +.endif + .include Index: usr.bin/Makefile =================================================================== --- usr.bin/Makefile (revision 238117) +++ usr.bin/Makefile (working copy) @@ -143,7 +143,6 @@ split \ stat \ su \ - systat \ tabs \ tail \ talk \ @@ -341,6 +340,12 @@ SUBDIR+= wtmpcvt .endif +.if ${MK_OPIE_SUPPORT} != "no" +_opieinfo= opieinfo +_opiekey= opiekey +_opiepasswd= opiepasswd +.endif + .include SUBDIR:= ${SUBDIR:O} Index: gnu/usr.bin/Makefile =================================================================== --- gnu/usr.bin/Makefile (revision 238117) +++ gnu/usr.bin/Makefile (working copy) @@ -18,7 +18,6 @@ sdiff \ send-pr \ sort \ - ${_texinfo} .if ${MK_CXX} != "no" _gperf= gperf Index: share/mk/bsd.own.mk =================================================================== --- share/mk/bsd.own.mk (revision 238117) +++ share/mk/bsd.own.mk (working copy) @@ -373,6 +373,7 @@ NTP \ OPENSSH \ OPENSSL \ + OPIE \ PAM \ PF \ PKGTOOLS \ @@ -570,6 +571,7 @@ KERBEROS \ KVM \ NETGRAPH \ + OPIE \ PAM \ WIRELESS .if defined(WITH_${var}_SUPPORT) && defined(WITHOUT_${var}_SUPPORT) Index: share/mk/bsd.libnames.mk =================================================================== --- share/mk/bsd.libnames.mk (revision 238117) +++ share/mk/bsd.libnames.mk (working copy) @@ -116,7 +116,7 @@ LIBPAM+= ${LIBRADIUS} ${LIBTACPLUS} ${LIBCRYPT} \ ${LIBUTIL} ${LIBOPIE} ${LIBMD} MINUSLPAM+= -lradius -ltacplus -lcrypt \ - -lutil -lopie -lmd + -lutil -lmd .if ${MK_OPENSSH} != "no" LIBPAM+= ${LIBSSH} ${LIBCRYPTO} ${LIBCRYPT} MINUSLPAM+= -lssh -lcrypto -lcrypt Index: lib/Makefile =================================================================== --- lib/Makefile (revision 238117) +++ lib/Makefile (working copy) @@ -86,7 +86,7 @@ ${_libmp} \ ${_libncp} \ ${_libngatm} \ - libopie \ + ${_libopie} \ libpam \ libpcap \ ${_libpmc} \ @@ -230,4 +230,8 @@ _libusb= libusb .endif +.if ${MK_OPIE_SUPPORT} != "no" +_libopie= libopie +.endif + .include Index: lib/libpam/modules/modules.inc =================================================================== --- lib/libpam/modules/modules.inc (revision 238117) +++ lib/libpam/modules/modules.inc (working copy) @@ -17,8 +17,10 @@ MODULES += pam_lastlog MODULES += pam_login_access MODULES += pam_nologin +.if ${MK_OPIE_SUPPORT} != "no" MODULES += pam_opie MODULES += pam_opieaccess +.endif MODULES += pam_passwdqc MODULES += pam_permit MODULES += pam_radius Index: etc/Makefile =================================================================== --- etc/Makefile (revision 238117) +++ etc/Makefile (working copy) @@ -108,6 +108,9 @@ .if ${MK_SENDMAIL} != "no" MTREE+= BSD.sendmail.dist .endif +.if ${MK_OPIE_SUPPORT} != "no" +MTREE+= BSD.opie.dist +.endif .if ${MK_BIND} != "no" MTREE+= BIND.chroot.dist .if ${MK_BIND_LIBS} != "no" @@ -160,7 +163,8 @@ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 755 \ ${BIN2} ${DESTDIR}/etc; \ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \ - master.passwd nsmb.conf opieaccess ${DESTDIR}/etc; + master.passwd nsmb.conf ${DESTDIR}/etc; \ + .if ${MK_AT} == "no" sed -i "" -e 's;.*/usr/libexec/atrun;#&;' ${DESTDIR}/etc/crontab .endif @@ -207,6 +211,10 @@ cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \ ${SSL} ${DESTDIR}/etc/ssl .endif +.if ${MK_OPIE_SUPPORT} != "no" + cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \ + opieaccess ${DESTDIR}/etc +.endif .if ${MK_KERBEROS} != "no" cd ${.CURDIR}/root; \ ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \ @@ -281,6 +289,9 @@ .if ${MK_SENDMAIL} != "no" mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.sendmail.dist -p ${DESTDIR}/ .endif +.if ${MK_OPIE_SUPPORT} != "no" + mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.opie.dist -p ${DESTDIR}/ +.endif cd ${DESTDIR}/; rm -f ${DESTDIR}/sys; ln -s usr/src/sys sys cd ${DESTDIR}/usr/share/man/en.ISO8859-1; ln -sf ../man* . cd ${DESTDIR}/usr/share/man/en.UTF-8; ln -sf ../man* . @@ -312,7 +323,7 @@ etc-examples: cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 \ - ${BIN1} ${BIN2} nsmb.conf opieaccess \ + ${BIN1} ${BIN2} nsmb.conf \ ${DESTDIR}/usr/share/examples/etc ${_+_}cd ${.CURDIR}/defaults; ${MAKE} install \ DESTDIR=${DESTDIR}/usr/share/examples Index: etc/mtree/BSD.var.dist =================================================================== --- etc/mtree/BSD.var.dist (revision 238117) +++ etc/mtree/BSD.var.dist (working copy) @@ -79,8 +79,6 @@ .. mqueue .. - opielocks mode=0700 - .. output lpd .. Index: etc/mtree/BSD.opie.dist =================================================================== --- etc/mtree/BSD.opie.dist (revision 0) +++ etc/mtree/BSD.opie.dist (revision 0) @@ -0,0 +1,15 @@ +# $FreeBSD$ +# +# Please see the file src/etc/mtree/README before making changes to this file. +# + +/set type=dir uname=root gname=wheel mode=0755 +. nochange + var nochange + spool nochange + opielocks gname=daemon mode=0700 + .. + .. + .. +.. + Index: libexec/lukemftpd/Makefile =================================================================== --- libexec/lukemftpd/Makefile (revision 238117) +++ libexec/lukemftpd/Makefile (working copy) @@ -1,8 +1,6 @@ # @(#)Makefile 8.2 (Berkeley) 4/4/94 # $FreeBSD$ -.include - LUKEMFTPD= ${.CURDIR}/../../contrib/lukemftpd .PATH: ${LUKEMFTPD}/src ${LUKEMFTPD}/libnetbsd @@ -14,7 +12,7 @@ WFORMAT= 0 -.if ${MK_INET6_SUPPORT} != "no" +.if !defined(NO_INET6) CFLAGS+= -DINET6 .endif @@ -33,16 +31,22 @@ DPADD+= ${LIBM} LDADD+= -lm -CFLAGS+= -DUSE_OPIE -DLOGIN_CAP -DPADD+= ${LIBOPIE} ${LIBMD} -LDADD+= -lopie -lmd +CFLAGS+= -DLOGIN_CAP +DPADD+= ${LIBMD} +LDADD+= -lmd -.if ${MK_PAM_SUPPORT} != "no" +.if !defined(NO_PAM) CFLAGS+= -DUSE_PAM DPADD+= ${LIBPAM} LDADD+= ${MINUSLPAM} .endif +.if !defined(NO_OPIE) +CFLAGS+= -DUSE_OPIE +DPADD+= ${LIBOPIE} +LDADD+= -lopie +.endif + CLEANFILES+= ls-unmain.c ls-unmain.c: ls.c sed -e 's/^main(/ls_main(/g' -e 's,extern.h,${LSDIR}/extern.h,' \ @@ -58,3 +62,4 @@ .include ${OBJS}: ${.CURDIR}/nbsd2fbsd.h + Index: libexec/ftpd/Makefile =================================================================== --- libexec/ftpd/Makefile (revision 238117) +++ libexec/ftpd/Makefile (working copy) @@ -17,8 +17,8 @@ LDADD= -lutil -lcrypt # XXX Kluge! Conversation mechanism needs to be fixed. -DPADD+= ${LIBOPIE} ${LIBMD} -LDADD+= -lopie -lmd +DPADD+= ${LIBMD} +LDADD+= -lmd LSDIR= ../../bin/ls .PATH: ${.CURDIR}/${LSDIR} @@ -33,8 +33,14 @@ .if ${MK_PAM_SUPPORT} != "no" CFLAGS+=-DUSE_PAM -DPADD+= ${LIBPAM} -LDADD+= ${MINUSLPAM} +DPADD+= ${LIBPAM} +LDADD+= ${MINUSLPAM} .endif +.if ${MK_OPIE_SUPPORT} != "no" +CFLAGS+= -DUSE_OPIE +DPADD+= ${LIBOPIE} +LDADD+= -lopie +.endif + .include Index: libexec/ftpd/ftpd.c =================================================================== --- libexec/ftpd/ftpd.c (revision 238117) +++ libexec/ftpd/ftpd.c (working copy) @@ -79,7 +79,6 @@ #include #include #include -#include #include #include #include @@ -97,6 +96,10 @@ #include #endif +#ifdef USE_OPIE +#include +#endif + #include "pathnames.h" #include "extern.h" @@ -105,6 +108,9 @@ static char version[] = "Version 6.00LS"; #undef main +extern off_t restart_point; +extern char cbuf[]; + union sockunion ctrl_addr; union sockunion data_source; union sockunion data_dest; @@ -180,8 +186,11 @@ pam_handle_t *pamh = NULL; #endif +#ifdef USE_OPIE static struct opie opiedata; static char opieprompt[OPIE_CHALLENGE_MAX+1]; +#endif + static int pwok; char *pid_file = NULL; /* means default location to pidfile(3) */ @@ -1068,13 +1077,18 @@ #ifdef USE_PAM /* XXX Kluge! The conversation mechanism needs to be fixed. */ #endif + +#ifdef USE_OPIE if (opiechallenge(&opiedata, name, opieprompt) == 0) { pwok = (pw != NULL) && opieaccessfile(remotehost) && opiealways(pw->pw_dir); reply(331, "Response to %s %s for %s.", opieprompt, pwok ? "requested" : "required", name); - } else { + } + else +#endif + { pwok = 1; reply(331, "Password required for %s.", name); } @@ -1392,13 +1406,18 @@ #ifdef USE_PAM rval = auth_pam(&pw, passwd); if (rval >= 0) { +#ifdef USE_OPIE opieunlock(); +#endif goto skip; } #endif +#ifdef USE_OPIE if (opieverify(&opiedata, passwd) == 0) xpasswd = pw->pw_passwd; - else if (pwok) { + else +#endif + if (pwok) { xpasswd = crypt(passwd, pw->pw_passwd); if (passwd[0] == '\0' && pw->pw_passwd[0] != '\0') xpasswd = ":"; @@ -1562,7 +1581,6 @@ reply(550, "Can't change root."); goto bad; } - __FreeBSD_libc_enter_restricted_mode(); } else /* real user w/o chroot */ homedir = pw->pw_dir; /* @@ -1893,12 +1911,20 @@ #ifdef TCP_NOPUSH /* * Turn off push flag to keep sender TCP from sending short packets - * at the boundaries of each write(). + * at the boundaries of each write(). Should probably do a SO_SNDBUF + * to set the send buffer size as well, but that may not be desirable + * in heavy-load situations. */ on = 1; if (setsockopt(s, IPPROTO_TCP, TCP_NOPUSH, &on, sizeof on) < 0) syslog(LOG_WARNING, "data setsockopt (TCP_NOPUSH): %m"); #endif +#ifdef SO_SNDBUF + on = 65536; + if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, &on, sizeof on) < 0) + syslog(LOG_WARNING, "data setsockopt (SO_SNDBUF): %m"); +#endif + return (fdopen(s, mode)); bad: /* Return the real value of errno (close may change it) */ @@ -3490,3 +3516,4 @@ } return(socks); } + >Release-Note: >Audit-Trail: >Unformatted: