From a5d2d67b8308a3fc4ecc833c6a55a86ba117badc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Groenvall?= Date: Wed, 13 Sep 2000 13:25:51 +0000 Subject: [PATCH] More tests to avoid Linux security holes. More logging. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@9054 ec53bebd-3082-4978-b11e-865c3cabbd6b --- lib/auth/pam/pam.c | 78 ++++++++++++++++++++++++++++------------------ 1 file changed, 48 insertions(+), 30 deletions(-) diff --git a/lib/auth/pam/pam.c b/lib/auth/pam/pam.c index a26b50ffa..0aca6f431 100644 --- a/lib/auth/pam/pam.c +++ b/lib/auth/pam/pam.c @@ -60,7 +60,7 @@ RCSID("$Id$"); #endif static void -log_error(int level, const char *format, ...) +psyslog(int level, const char *format, ...) { va_list args; va_start(args, format); @@ -115,7 +115,7 @@ parse_ctrl(int argc, const char **argv) break; if (j >= KRB4_CTRLS) - log_error(LOG_ALERT, "unrecognized option [%s]", *argv); + psyslog(LOG_ALERT, "unrecognized option [%s]", *argv); else ctrl_flags |= krb4_args[j].flag; } @@ -134,7 +134,7 @@ pdeb(const char *format, ...) closelog(); } -#define ENTRY(f) pdeb("%s() ruid = %d euid = %d", f, getuid(), geteuid()) +#define ENTRY(func) pdeb("%s() flags = %d ruid = %d euid = %d", func, flags, getuid(), geteuid()) static void set_tkt_string(uid_t uid) @@ -182,9 +182,14 @@ verify_pass(pam_handle_t *pamh, old_euid = geteuid(); setreuid(0, 0); ret = krb_verify_user(name, inst, realm, pass, krb_verify, NULL); - if (setreuid(old_ruid, old_euid) != 0) + pdeb("krb_verify_user(`%s', `%s', `%s', pw, %d, NULL) returns %s", + name, inst, realm, krb_verify, + krb_get_err_text(ret)); + if (setreuid(old_ruid, old_euid) != 0 + || getuid() != old_ruid + || geteuid() != old_euid) { - log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid); + psyslog(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid); exit(1); } @@ -220,7 +225,7 @@ krb4_auth(pam_handle_t *pamh, ret = pam_get_item(pamh, PAM_AUTHTOK, (void **) &pass); if (ret != PAM_SUCCESS) { - log_error(LOG_ERR , "pam_get_item returned error to get-password"); + psyslog(LOG_ERR , "pam_get_item returned error to get-password"); return ret; } else if (pass != 0 && verify_pass(pamh, name, inst, pass) == PAM_SUCCESS) @@ -271,9 +276,11 @@ pam_sm_authenticate(pam_handle_t *pamh, struct passwd *pw; uid_t uid = -1; const char *name, *inst; + char realm[REALM_SZ]; + realm[0] = 0; - parse_ctrl(argc, argv); ENTRY("pam_sm_authenticate"); + parse_ctrl(argc, argv); ret = pam_get_user(pamh, &user, "login: "); if (ret != PAM_SUCCESS) @@ -316,11 +323,9 @@ pam_sm_authenticate(pam_handle_t *pamh, */ if (ret == PAM_SUCCESS && inst[0] != 0) { - char realm[REALM_SZ]; uid_t old_euid = geteuid(); uid_t old_ruid = getuid(); - realm[0] = 0; setreuid(0, 0); /* To read ticket file. */ if (krb_get_tf_fullname(tkt_string(), 0, 0, realm) != KSUCCESS) ret = PAM_SERVICE_ERR; @@ -334,37 +339,52 @@ pam_sm_authenticate(pam_handle_t *pamh, if (ret != PAM_SUCCESS) { dest_tkt(); /* Passwd known, ok to kill ticket. */ - log_error(LOG_NOTICE, - "%s.%s@%s is not allowed to log in as %s", - name, inst, realm, user); + psyslog(LOG_NOTICE, + "%s.%s@%s is not allowed to log in as %s", + name, inst, realm, user); } - if (setreuid(old_ruid, old_euid) != 0) + if (setreuid(old_ruid, old_euid) != 0 + || getuid() != old_ruid + || geteuid() != old_ruid) { - log_error(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid); + psyslog(LOG_ALERT , "setreuid(%d, %d) failed", old_ruid, old_euid); exit(1); } } if (ret == PAM_SUCCESS) - chown(tkt_string(), uid, -1); - - /* Sun dtlogin unlock screen does not call any other pam_* funcs. */ - if (ret == PAM_SUCCESS - && ctrl_on(KRB4_REAFSLOG) - && k_hasafs() - && (pw = getpwnam(user)) != 0) - krb_afslog_uid_home(/*cell*/ 0,/*realm_hint*/ 0, pw->pw_uid, pw->pw_dir); + { + psyslog(LOG_INFO, + "%s.%s@%s authenticated as user %s", + name, inst, realm, user); + if (chown(tkt_string(), uid, -1) == -1) + { + dest_tkt(); + psyslog(LOG_ALERT , "chown(%s, %d, -1) failed", tkt_string(), uid); + exit(1); + } + } + /* + * Kludge alert!!! Sun dtlogin unlock screen fails to call + * pam_setcred(3) with PAM_REFRESH_CRED after a successful + * authentication attempt, sic. + * + * This hack is designed as a workaround to that problem. + */ + if (ctrl_on(KRB4_REAFSLOG)) + if (ret == PAM_SUCCESS) + pam_sm_setcred(pamh, PAM_REFRESH_CRED, argc, argv); + return ret; } int pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) { - parse_ctrl(argc, argv); ENTRY("pam_sm_setcred"); - pdeb("flags = 0x%x", flags); + parse_ctrl(argc, argv); switch (flags & ~PAM_SILENT) { case 0: @@ -393,7 +413,7 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) k_unlog(); break; default: - log_error(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags); + psyslog(LOG_ALERT , "pam_sm_setcred: unknown flags 0x%x", flags); break; } @@ -403,8 +423,8 @@ pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) int pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) { - parse_ctrl(argc, argv); ENTRY("pam_sm_open_session"); + parse_ctrl(argc, argv); return PAM_SUCCESS; } @@ -413,13 +433,11 @@ pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) int pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char**argv) { - parse_ctrl(argc, argv); ENTRY("pam_sm_close_session"); + parse_ctrl(argc, argv); /* This isn't really kosher, but it's handy. */ - dest_tkt(); - if (k_hasafs()) - k_unlog(); + pam_sm_setcred(pamh, PAM_DELETE_CRED, argc, argv); return PAM_SUCCESS; }