diff options
Diffstat (limited to 'meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch')
-rw-r--r-- | meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch | 222 |
1 files changed, 222 insertions, 0 deletions
diff --git a/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch new file mode 100644 index 0000000000..b285e96c27 --- /dev/null +++ b/meta/recipes-extended/pam/libpam/pam-unix-nullok-secure.patch | |||
@@ -0,0 +1,222 @@ | |||
1 | Debian patch to add a new 'nullok_secure' option to pam_unix, which | ||
2 | accepts users with null passwords only when the applicant is connected | ||
3 | from a tty listed in /etc/securetty. | ||
4 | |||
5 | Authors: Sam Hartman <hartmans@debian.org>, | ||
6 | Steve Langasek <vorlon@debian.org> | ||
7 | |||
8 | Upstream-Status: Pending | ||
9 | |||
10 | Signed-off-by: Ming Liu <ming.liu@windriver.com> | ||
11 | =================================================================== | ||
12 | diff -urpN a/modules/pam_unix/Makefile.am b/modules/pam_unix/Makefile.am | ||
13 | --- a/modules/pam_unix/Makefile.am 2013-07-05 09:51:31.014483164 +0800 | ||
14 | +++ b/modules/pam_unix/Makefile.am 2013-07-05 10:26:12.884484000 +0800 | ||
15 | @@ -30,7 +30,8 @@ if HAVE_VERSIONING | ||
16 | pam_unix_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map | ||
17 | endif | ||
18 | pam_unix_la_LIBADD = $(top_builddir)/libpam/libpam.la \ | ||
19 | - @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) | ||
20 | + @LIBCRYPT@ @LIBSELINUX@ $(NIS_LIBS) \ | ||
21 | + ../pam_securetty/tty_secure.lo | ||
22 | |||
23 | securelib_LTLIBRARIES = pam_unix.la | ||
24 | |||
25 | diff -urpN a/modules/pam_unix/pam_unix.8 b/modules/pam_unix/pam_unix.8 | ||
26 | --- a/modules/pam_unix/pam_unix.8 2013-07-05 09:52:16.825108201 +0800 | ||
27 | +++ b/modules/pam_unix/pam_unix.8 2013-07-05 10:28:34.724483774 +0800 | ||
28 | @@ -220,7 +220,14 @@ A little more extreme than debug\&. | ||
29 | .RS 4 | ||
30 | The default action of this module is to not permit the user access to a service if their official password is blank\&. The | ||
31 | \fBnullok\fR | ||
32 | -argument overrides this default\&. | ||
33 | +argument overrides this default and allows any user with a blank password to access the service\&. | ||
34 | +.RE | ||
35 | +.PP | ||
36 | +\fBnullok_secure\fR | ||
37 | +.RS 4 | ||
38 | +The default action of this module is to not permit the user access to a service if their official password is blank\&. The | ||
39 | +\fBnullok_secure\fR | ||
40 | +argument overrides this default and allows any user with a blank password to access the service as long as the value of PAM_TTY is set to one of the values found in /etc/securetty\&. | ||
41 | .RE | ||
42 | .PP | ||
43 | \fBtry_first_pass\fR | ||
44 | diff -urpN a/modules/pam_unix/pam_unix.8.xml b/modules/pam_unix/pam_unix.8.xml | ||
45 | --- a/modules/pam_unix/pam_unix.8.xml 2013-07-05 09:52:38.775108523 +0800 | ||
46 | +++ b/modules/pam_unix/pam_unix.8.xml 2013-07-05 10:30:23.084483630 +0800 | ||
47 | @@ -135,7 +135,24 @@ | ||
48 | <para> | ||
49 | The default action of this module is to not permit the | ||
50 | user access to a service if their official password is blank. | ||
51 | - The <option>nullok</option> argument overrides this default. | ||
52 | + The <option>nullok</option> argument overrides this default | ||
53 | + and allows any user with a blank password to access the | ||
54 | + service. | ||
55 | + </para> | ||
56 | + </listitem> | ||
57 | + </varlistentry> | ||
58 | + <varlistentry> | ||
59 | + <term> | ||
60 | + <option>nullok_secure</option> | ||
61 | + </term> | ||
62 | + <listitem> | ||
63 | + <para> | ||
64 | + The default action of this module is to not permit the | ||
65 | + user access to a service if their official password is blank. | ||
66 | + The <option>nullok_secure</option> argument overrides this | ||
67 | + default and allows any user with a blank password to access | ||
68 | + the service as long as the value of PAM_TTY is set to one of | ||
69 | + the values found in /etc/securetty. | ||
70 | </para> | ||
71 | </listitem> | ||
72 | </varlistentry> | ||
73 | diff -urpN a/modules/pam_unix/README b/modules/pam_unix/README | ||
74 | --- a/modules/pam_unix/README 2013-07-05 09:51:52.205107846 +0800 | ||
75 | +++ b/modules/pam_unix/README 2013-07-05 10:27:10.774484537 +0800 | ||
76 | @@ -57,7 +57,16 @@ nullok | ||
77 | |||
78 | The default action of this module is to not permit the user access to a | ||
79 | service if their official password is blank. The nullok argument overrides | ||
80 | - this default. | ||
81 | + this default and allows any user with a blank password to access the | ||
82 | + service. | ||
83 | + | ||
84 | +nullok_secure | ||
85 | + | ||
86 | + The default action of this module is to not permit the user access to a | ||
87 | + service if their official password is blank. The nullok_secure argument | ||
88 | + overrides this default and allows any user with a blank password to access | ||
89 | + the service as long as the value of PAM_TTY is set to one of the values | ||
90 | + found in /etc/securetty. | ||
91 | |||
92 | try_first_pass | ||
93 | |||
94 | diff -urpN a/modules/pam_unix/support.c b/modules/pam_unix/support.c | ||
95 | --- a/modules/pam_unix/support.c 2013-07-05 09:50:49.134482523 +0800 | ||
96 | +++ b/modules/pam_unix/support.c 2013-07-05 09:56:26.924484267 +0800 | ||
97 | @@ -84,14 +84,22 @@ int _set_ctrl(pam_handle_t *pamh, int fl | ||
98 | /* now parse the arguments to this module */ | ||
99 | |||
100 | for (; argc-- > 0; ++argv) { | ||
101 | - int j; | ||
102 | + int j, sl; | ||
103 | |||
104 | D(("pam_unix arg: %s", *argv)); | ||
105 | |||
106 | for (j = 0; j < UNIX_CTRLS_; ++j) { | ||
107 | - if (unix_args[j].token | ||
108 | - && !strncmp(*argv, unix_args[j].token, strlen(unix_args[j].token))) { | ||
109 | - break; | ||
110 | + if (unix_args[j].token) { | ||
111 | + sl = strlen(unix_args[j].token); | ||
112 | + if (unix_args[j].token[sl-1] == '=') { | ||
113 | + /* exclude argument from comparison */ | ||
114 | + if (!strncmp(*argv, unix_args[j].token, sl)) | ||
115 | + break; | ||
116 | + } else { | ||
117 | + /* compare full strings */ | ||
118 | + if (!strcmp(*argv, unix_args[j].token)) | ||
119 | + break; | ||
120 | + } | ||
121 | } | ||
122 | } | ||
123 | |||
124 | @@ -461,6 +469,7 @@ static int _unix_run_helper_binary(pam_h | ||
125 | child = fork(); | ||
126 | if (child == 0) { | ||
127 | int i=0; | ||
128 | + int nullok = off(UNIX__NONULL, ctrl); | ||
129 | struct rlimit rlim; | ||
130 | static char *envp[] = { NULL }; | ||
131 | char *args[] = { NULL, NULL, NULL, NULL }; | ||
132 | @@ -488,7 +497,18 @@ static int _unix_run_helper_binary(pam_h | ||
133 | /* exec binary helper */ | ||
134 | args[0] = strdup(CHKPWD_HELPER); | ||
135 | args[1] = x_strdup(user); | ||
136 | - if (off(UNIX__NONULL, ctrl)) { /* this means we've succeeded */ | ||
137 | + | ||
138 | + if (on(UNIX_NULLOK_SECURE, ctrl)) { | ||
139 | + const void *uttyname; | ||
140 | + retval = pam_get_item(pamh, PAM_TTY, &uttyname); | ||
141 | + if (retval != PAM_SUCCESS || uttyname == NULL | ||
142 | + || _pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) | ||
143 | + { | ||
144 | + nullok = 0; | ||
145 | + } | ||
146 | + } | ||
147 | + | ||
148 | + if (nullok) { | ||
149 | args[2]=strdup("nullok"); | ||
150 | } else { | ||
151 | args[2]=strdup("nonull"); | ||
152 | @@ -567,6 +587,17 @@ _unix_blankpasswd (pam_handle_t *pamh, u | ||
153 | if (on(UNIX__NONULL, ctrl)) | ||
154 | return 0; /* will fail but don't let on yet */ | ||
155 | |||
156 | + if (on(UNIX_NULLOK_SECURE, ctrl)) { | ||
157 | + int retval2; | ||
158 | + const void *uttyname; | ||
159 | + retval2 = pam_get_item(pamh, PAM_TTY, &uttyname); | ||
160 | + if (retval2 != PAM_SUCCESS || uttyname == NULL) | ||
161 | + return 0; | ||
162 | + | ||
163 | + if (_pammodutil_tty_secure(pamh, (const char *)uttyname) != PAM_SUCCESS) | ||
164 | + return 0; | ||
165 | + } | ||
166 | + | ||
167 | /* UNIX passwords area */ | ||
168 | |||
169 | retval = get_pwd_hash(pamh, name, &pwd, &salt); | ||
170 | @@ -653,7 +684,8 @@ int _unix_verify_password(pam_handle_t * | ||
171 | } | ||
172 | } | ||
173 | } else { | ||
174 | - retval = verify_pwd_hash(p, salt, off(UNIX__NONULL, ctrl)); | ||
175 | + retval = verify_pwd_hash(p, salt, | ||
176 | + _unix_blankpasswd(pamh, ctrl, name)); | ||
177 | } | ||
178 | |||
179 | if (retval == PAM_SUCCESS) { | ||
180 | diff -urpN a/modules/pam_unix/support.h b/modules/pam_unix/support.h | ||
181 | --- a/modules/pam_unix/support.h 2013-07-05 09:51:10.385107934 +0800 | ||
182 | +++ b/modules/pam_unix/support.h 2013-07-05 10:23:54.815107842 +0800 | ||
183 | @@ -90,8 +90,9 @@ typedef struct { | ||
184 | password hash algorithms */ | ||
185 | #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */ | ||
186 | #define UNIX_MIN_PASS_LEN 27 /* min length for password */ | ||
187 | +#define UNIX_NULLOK_SECURE 28 /* NULL passwords allowed only on secure ttys */ | ||
188 | /* -------------- */ | ||
189 | -#define UNIX_CTRLS_ 28 /* number of ctrl arguments defined */ | ||
190 | +#define UNIX_CTRLS_ 29 /* number of ctrl arguments defined */ | ||
191 | |||
192 | #define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl)) | ||
193 | |||
194 | @@ -109,7 +110,7 @@ static const UNIX_Ctrls unix_args[UNIX_C | ||
195 | /* UNIX_NOT_SET_PASS */ {"not_set_pass", _ALL_ON_, 0100}, | ||
196 | /* UNIX__PRELIM */ {NULL, _ALL_ON_^(0600), 0200}, | ||
197 | /* UNIX__UPDATE */ {NULL, _ALL_ON_^(0600), 0400}, | ||
198 | -/* UNIX__NONULL */ {NULL, _ALL_ON_, 01000}, | ||
199 | +/* UNIX__NONULL */ {NULL, _ALL_ON_^(0x10000000), 0x200}, | ||
200 | /* UNIX__QUIET */ {NULL, _ALL_ON_, 02000}, | ||
201 | /* UNIX_USE_AUTHTOK */ {"use_authtok", _ALL_ON_, 04000}, | ||
202 | /* UNIX_SHADOW */ {"shadow", _ALL_ON_, 010000}, | ||
203 | @@ -127,7 +128,8 @@ static const UNIX_Ctrls unix_args[UNIX_C | ||
204 | /* UNIX_SHA512_PASS */ {"sha512", _ALL_ON_^(0260420000), 040000000}, | ||
205 | /* UNIX_ALGO_ROUNDS */ {"rounds=", _ALL_ON_, 0100000000}, | ||
206 | /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000}, | ||
207 | -/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000}, | ||
208 | +/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000}, | ||
209 | +/* UNIX_NULLOK_SECURE */ {"nullok_secure", _ALL_ON_^(0x200), 0x10000000}, | ||
210 | }; | ||
211 | |||
212 | #define UNIX_DEFAULTS (unix_args[UNIX__NONULL].flag) | ||
213 | @@ -163,6 +165,9 @@ extern int _unix_read_password(pam_handl | ||
214 | ,const char *data_name | ||
215 | ,const void **pass); | ||
216 | |||
217 | +extern int _pammodutil_tty_secure(const pam_handle_t *pamh, | ||
218 | + const char *uttyname); | ||
219 | + | ||
220 | extern int _unix_run_verify_binary(pam_handle_t *pamh, | ||
221 | unsigned int ctrl, const char *user, int *daysleft); | ||
222 | #endif /* _PAM_UNIX_SUPPORT_H */ | ||