libpam: add a new 'nullok_secure' option support to pam_unix

Debian patch to add a new 'nullok_secure' option to pam_unix, which accepts users with null passwords only when the applicant is connected from a tty listed in /etc/securetty. The original pam_unix.so was configured with nullok_secure in meta/recipes-extended/pam/libpam/pam.d/common-auth, but no such code exists actually. The patch set comes from: http://patch-tracker.debian.org/patch/series/view/pam/1.1.3-7.1/054_pam_security_abstract_securetty_handling http://patch-tracker.debian.org/patch/series/view/pam/1.1.3-7.1/055_pam_unix_nullok_secure (From OE-Core rev: 10cdd66fe800cffe3f2cbf5c95550b4f7902a311) Signed-off-by: Ming Liu <ming.liu@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ming Liu <ming.liu@windriver.com> 2013-07-18 10:04:22 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2013-07-24 11:35:33 +0100
commit: 784d7b77294ae8066ff0ac91f7fc90f9795d2bd7 (patch)
tree: 1a101aca6397782d00d0cfd9b2860d243bb3a5c3 /meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch
parent: 7af92f8fa3a12fc8fcb22dbd12f87d89768b2d39 (diff)
download: poky-784d7b77294ae8066ff0ac91f7fc90f9795d2bd7.tar.gz
1 files changed, 200 insertions, 0 deletions
diff --git a/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch b/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch
new file mode 100644
index 0000000000..f1834f6ce3
--- /dev/null
+++ b/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch
@@ -0,0 +1,200 @@
+Description: extract the securetty logic for use with the "nullok_secure" option
+ introduced in the "055_pam_unix_nullok_secure" patch.
+Upstream-Status: Pending
+Signed-off-by: Ming Liu <ming.liu@windriver.com>
+===================================================================
+diff -urpN a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am
+--- a/modules/pam_securetty/Makefile.am 2013-07-05 11:08:23.224483237 +0800
+++ b/modules/pam_securetty/Makefile.am 2013-07-05 11:15:21.304486456 +0800
+@@ -24,6 +24,10 @@ endif
+ securelib_LTLIBRARIES = pam_securetty.la
+ pam_securetty_la_LIBADD = -L$(top_builddir)/libpam -lpam
+ 
+pam_securetty_la_SOURCES =     \
+       pam_securetty.c         \
+       tty_secure.c
+
+ if ENABLE_REGENERATE_MAN
+ noinst_DATA = README
+ README: pam_securetty.8.xml
+diff -urpN a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
+--- a/modules/pam_securetty/pam_securetty.c     2013-07-05 11:07:50.064483568 +0800
+++ b/modules/pam_securetty/pam_securetty.c     2013-07-05 11:12:23.994483344 +0800
+@@ -1,7 +1,5 @@
+ /* pam_securetty module */
+ 
+-#define SECURETTY_FILE "/etc/securetty"
+-#define TTY_PREFIX     "/dev/"
+ #define CMDLINE_FILE   "/proc/cmdline"
+ #define CONSOLEACTIVE_FILE     "/sys/class/tty/console/active"
+ 
+@@ -40,6 +38,9 @@
+ #include <security/pam_modutil.h>
+ #include <security/pam_ext.h>
+ 
+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
+                                  const char *uttyname);
+
+ #define PAM_DEBUG_ARG       0x0001
+ #define PAM_NOCONSOLE_ARG   0x0002
+ 
+@@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *p
+     const char *username;
+     const char *uttyname;
+     const void *void_uttyname;
+-    char ttyfileline[256];
+-    char ptname[256];
+-    struct stat ttyfileinfo;
+     struct passwd *user_pwd;
+-    FILE *ttyfile;
+ 
+     /* log a trail for debugging */
+     if (ctrl & PAM_DEBUG_ARG) {
+@@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *p
+        return PAM_SERVICE_ERR;
+     }
+ 
+-    /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
+-    if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) {
+-       uttyname += sizeof(TTY_PREFIX)-1;
+-    }
+-
+-    if (stat(SECURETTY_FILE, &ttyfileinfo)) {
+-       pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
+-       return PAM_SUCCESS; /* for compatibility with old securetty handling,
+-                              this needs to succeed.  But we still log the
+-                              error. */
+-    }
+-
+-    if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
+-       /* If the file is world writable or is not a
+-          normal file, return error */
+-       pam_syslog(pamh, LOG_ERR,
+-                  "%s is either world writable or not a normal file",
+-                  SECURETTY_FILE);
+-       return PAM_AUTH_ERR;
+-    }
+-
+-    ttyfile = fopen(SECURETTY_FILE,"r");
+-    if (ttyfile == NULL) { /* Check that we opened it successfully */
+-       pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
+-       return PAM_SERVICE_ERR;
+-    }
+-
+-    if (isdigit(uttyname[0])) {
+-       snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
+-    } else {
+-       ptname[0] = '\0';
+-    }
+-
+-    retval = 1;
+-
+-    while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL)
+-          && retval) {
+-       if (ttyfileline[strlen(ttyfileline) - 1] == '\n')
+-           ttyfileline[strlen(ttyfileline) - 1] = '\0';
+-
+-       retval = ( strcmp(ttyfileline, uttyname)
+-                  && (!ptname[0] || strcmp(ptname, uttyname)) );
+-    }
+-    fclose(ttyfile);
+    retval = _pammodutil_tty_secure(pamh, uttyname);
+ 
+     if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
+         FILE *cmdlinefile;
+diff -urpN a/modules/pam_securetty/tty_secure.c b/modules/pam_securetty/tty_secure.c
+--- a/modules/pam_securetty/tty_secure.c        1970-01-01 08:30:00.000000000 +0830
+++ b/modules/pam_securetty/tty_secure.c        2013-07-05 11:14:21.534482900 +0800
+@@ -0,0 +1,90 @@
+/*
+ * A function to determine if a particular line is in /etc/securetty
+ */
+
+
+#define SECURETTY_FILE "/etc/securetty"
+#define TTY_PREFIX     "/dev/"
+
+/* This function taken out of pam_securetty by Sam Hartman
+ * <hartmans@debian.org>*/
+/*
+ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
+ * July 25, 1996.
+ * Slight modifications AGM. 1996/12/3
+ */
+
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <security/pam_modules.h>
+#include <stdarg.h>
+#include <syslog.h>
+#include <sys/syslog.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <security/pam_modutil.h>
+#include <security/pam_ext.h>
+
+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
+                                  const char *uttyname);
+
+int _pammodutil_tty_secure(const pam_handle_t *pamh, const char *uttyname)
+{
+    int retval = PAM_AUTH_ERR;
+    char ttyfileline[256];
+    char ptname[256];
+    struct stat ttyfileinfo;
+    FILE *ttyfile;
+    /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
+    if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
+       uttyname += sizeof(TTY_PREFIX)-1;
+
+    if (stat(SECURETTY_FILE, &ttyfileinfo)) {
+       pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m",
+                  SECURETTY_FILE);
+       return PAM_SUCCESS; /* for compatibility with old securetty handling,
+                              this needs to succeed.  But we still log the
+                              error. */
+    }
+
+    if ((ttyfileinfo.st_mode & S_IWOTH) || !S_ISREG(ttyfileinfo.st_mode)) {
+       /* If the file is world writable or is not a
+          normal file, return error */
+       pam_syslog(pamh, LOG_ERR,
+                  "%s is either world writable or not a normal file",
+                  SECURETTY_FILE);
+       return PAM_AUTH_ERR;
+    }
+
+    ttyfile = fopen(SECURETTY_FILE,"r");
+    if(ttyfile == NULL) { /* Check that we opened it successfully */
+       pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
+       return PAM_SERVICE_ERR;
+    }
+
+    if (isdigit(uttyname[0])) {
+       snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
+    } else {
+       ptname[0] = '\0';
+    }
+
+    retval = 1;
+
+    while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL) 
+          && retval) {
+       if(ttyfileline[strlen(ttyfileline) - 1] == '\n')
+           ttyfileline[strlen(ttyfileline) - 1] = '\0';
+       retval = ( strcmp(ttyfileline,uttyname)
+                  && (!ptname[0] || strcmp(ptname, uttyname)) );
+    }
+    fclose(ttyfile);
+
+    if(retval) {
+       retval = PAM_AUTH_ERR;
+    }
+
+    return retval;
+}
author	Ming Liu <ming.liu@windriver.com>	2013-07-18 10:04:22 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2013-07-24 11:35:33 +0100
commit	784d7b77294ae8066ff0ac91f7fc90f9795d2bd7 (patch)
tree	1a101aca6397782d00d0cfd9b2860d243bb3a5c3 /meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch
parent	7af92f8fa3a12fc8fcb22dbd12f87d89768b2d39 (diff)
download	poky-784d7b77294ae8066ff0ac91f7fc90f9795d2bd7.tar.gz

diff --git a/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch b/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch new file mode 100644 index 0000000000..f1834f6ce3 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch
@@ -0,0 +1,200 @@
	1	Description: extract the securetty logic for use with the "nullok_secure" option
	2	introduced in the "055_pam_unix_nullok_secure" patch.
	3
	4	Upstream-Status: Pending
	5
	6	Signed-off-by: Ming Liu <ming.liu@windriver.com>
	7	===================================================================
	8	diff -urpN a/modules/pam_securetty/Makefile.am b/modules/pam_securetty/Makefile.am
	9	--- a/modules/pam_securetty/Makefile.am 2013-07-05 11:08:23.224483237 +0800
	10	+++ b/modules/pam_securetty/Makefile.am 2013-07-05 11:15:21.304486456 +0800
	11	@@ -24,6 +24,10 @@ endif
	12	securelib_LTLIBRARIES = pam_securetty.la
	13	pam_securetty_la_LIBADD = -L$(top_builddir)/libpam -lpam
	14
	15	+pam_securetty_la_SOURCES = \
	16	+ pam_securetty.c \
	17	+ tty_secure.c
	18	+
	19	if ENABLE_REGENERATE_MAN
	20	noinst_DATA = README
	21	README: pam_securetty.8.xml
	22	diff -urpN a/modules/pam_securetty/pam_securetty.c b/modules/pam_securetty/pam_securetty.c
	23	--- a/modules/pam_securetty/pam_securetty.c 2013-07-05 11:07:50.064483568 +0800
	24	+++ b/modules/pam_securetty/pam_securetty.c 2013-07-05 11:12:23.994483344 +0800
	25	@@ -1,7 +1,5 @@
	26	/* pam_securetty module */
	27
	28	-#define SECURETTY_FILE "/etc/securetty"
	29	-#define TTY_PREFIX "/dev/"
	30	#define CMDLINE_FILE "/proc/cmdline"
	31	#define CONSOLEACTIVE_FILE "/sys/class/tty/console/active"
	32
	33	@@ -40,6 +38,9 @@
	34	#include <security/pam_modutil.h>
	35	#include <security/pam_ext.h>
	36
	37	+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
	38	+ const char *uttyname);
	39	+
	40	#define PAM_DEBUG_ARG 0x0001
	41	#define PAM_NOCONSOLE_ARG 0x0002
	42
	43	@@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *p
	44	const char *username;
	45	const char *uttyname;
	46	const void *void_uttyname;
	47	- char ttyfileline[256];
	48	- char ptname[256];
	49	- struct stat ttyfileinfo;
	50	struct passwd *user_pwd;
	51	- FILE *ttyfile;
	52
	53	/* log a trail for debugging */
	54	if (ctrl & PAM_DEBUG_ARG) {
	55	@@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *p
	56	return PAM_SERVICE_ERR;
	57	}
	58
	59	- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
	60	- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) {
	61	- uttyname += sizeof(TTY_PREFIX)-1;
	62	- }
	63	-
	64	- if (stat(SECURETTY_FILE, &ttyfileinfo)) {
	65	- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
	66	- return PAM_SUCCESS; /* for compatibility with old securetty handling,
	67	- this needs to succeed. But we still log the
	68	- error. */
	69	- }
	70	-
	71	- if ((ttyfileinfo.st_mode & S_IWOTH) \|\| !S_ISREG(ttyfileinfo.st_mode)) {
	72	- /* If the file is world writable or is not a
	73	- normal file, return error */
	74	- pam_syslog(pamh, LOG_ERR,
	75	- "%s is either world writable or not a normal file",
	76	- SECURETTY_FILE);
	77	- return PAM_AUTH_ERR;
	78	- }
	79	-
	80	- ttyfile = fopen(SECURETTY_FILE,"r");
	81	- if (ttyfile == NULL) { /* Check that we opened it successfully */
	82	- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
	83	- return PAM_SERVICE_ERR;
	84	- }
	85	-
	86	- if (isdigit(uttyname[0])) {
	87	- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
	88	- } else {
	89	- ptname[0] = '\0';
	90	- }
	91	-
	92	- retval = 1;
	93	-
	94	- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL)
	95	- && retval) {
	96	- if (ttyfileline[strlen(ttyfileline) - 1] == '\n')
	97	- ttyfileline[strlen(ttyfileline) - 1] = '\0';
	98	-
	99	- retval = ( strcmp(ttyfileline, uttyname)
	100	- && (!ptname[0] \|\| strcmp(ptname, uttyname)) );
	101	- }
	102	- fclose(ttyfile);
	103	+ retval = _pammodutil_tty_secure(pamh, uttyname);
	104
	105	if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
	106	FILE *cmdlinefile;
	107	diff -urpN a/modules/pam_securetty/tty_secure.c b/modules/pam_securetty/tty_secure.c
	108	--- a/modules/pam_securetty/tty_secure.c 1970-01-01 08:30:00.000000000 +0830
	109	+++ b/modules/pam_securetty/tty_secure.c 2013-07-05 11:14:21.534482900 +0800
	110	@@ -0,0 +1,90 @@
	111	+/*
	112	+ * A function to determine if a particular line is in /etc/securetty
	113	+ */
	114	+
	115	+
	116	+#define SECURETTY_FILE "/etc/securetty"
	117	+#define TTY_PREFIX "/dev/"
	118	+
	119	+/* This function taken out of pam_securetty by Sam Hartman
	120	+ * <hartmans@debian.org>*/
	121	+/*
	122	+ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
	123	+ * July 25, 1996.
	124	+ * Slight modifications AGM. 1996/12/3
	125	+ */
	126	+
	127	+#include <unistd.h>
	128	+#include <sys/types.h>
	129	+#include <sys/stat.h>
	130	+#include <security/pam_modules.h>
	131	+#include <stdarg.h>
	132	+#include <syslog.h>
	133	+#include <sys/syslog.h>
	134	+#include <stdio.h>
	135	+#include <string.h>
	136	+#include <stdlib.h>
	137	+#include <ctype.h>
	138	+#include <security/pam_modutil.h>
	139	+#include <security/pam_ext.h>
	140	+
	141	+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
	142	+ const char *uttyname);
	143	+
	144	+int _pammodutil_tty_secure(const pam_handle_t pamh, const char uttyname)
	145	+{
	146	+ int retval = PAM_AUTH_ERR;
	147	+ char ttyfileline[256];
	148	+ char ptname[256];
	149	+ struct stat ttyfileinfo;
	150	+ FILE *ttyfile;
	151	+ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
	152	+ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
	153	+ uttyname += sizeof(TTY_PREFIX)-1;
	154	+
	155	+ if (stat(SECURETTY_FILE, &ttyfileinfo)) {
	156	+ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m",
	157	+ SECURETTY_FILE);
	158	+ return PAM_SUCCESS; /* for compatibility with old securetty handling,
	159	+ this needs to succeed. But we still log the
	160	+ error. */
	161	+ }
	162	+
	163	+ if ((ttyfileinfo.st_mode & S_IWOTH) \|\| !S_ISREG(ttyfileinfo.st_mode)) {
	164	+ /* If the file is world writable or is not a
	165	+ normal file, return error */
	166	+ pam_syslog(pamh, LOG_ERR,
	167	+ "%s is either world writable or not a normal file",
	168	+ SECURETTY_FILE);
	169	+ return PAM_AUTH_ERR;
	170	+ }
	171	+
	172	+ ttyfile = fopen(SECURETTY_FILE,"r");
	173	+ if(ttyfile == NULL) { /* Check that we opened it successfully */
	174	+ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
	175	+ return PAM_SERVICE_ERR;
	176	+ }
	177	+
	178	+ if (isdigit(uttyname[0])) {
	179	+ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
	180	+ } else {
	181	+ ptname[0] = '\0';
	182	+ }
	183	+
	184	+ retval = 1;
	185	+
	186	+ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL)
	187	+ && retval) {
	188	+ if(ttyfileline[strlen(ttyfileline) - 1] == '\n')
	189	+ ttyfileline[strlen(ttyfileline) - 1] = '\0';
	190	+ retval = ( strcmp(ttyfileline,uttyname)
	191	+ && (!ptname[0] \|\| strcmp(ptname, uttyname)) );
	192	+ }
	193	+ fclose(ttyfile);
	194	+
	195	+ if(retval) {
	196	+ retval = PAM_AUTH_ERR;
	197	+ }
	198	+
	199	+ return retval;
	200	+}