~roguescholar/pam/+git/upstream:ldv/pam_unix

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

b3020da... by "Dmitry V. Levin" <email address hidden> on 2024-01-01

pam_unix/passverify: always run the helper to obtain shadow password file entries

Initially, when pam_unix.so verified the password, it used to try to
obtain the shadow password file entry for the given user by invoking
getspnam(3), and only when that didn't work and the effective uid
was nonzero, pam_unix.so used to invoke the helper as a fallback.

When SELinux support was introduced by commit
67aab1ff5515054341a438cf9804e9c9b3a88033, the fallback was extended
also for the case when SELinux was enabled.

Later, commit f220cace205332a3dc34e7b37a85e7627e097e7d extended the
fallback conditions for the case when pam_modutil_getspnam() failed
with EACCES.

Since commit 470823c4aacef5cb3b1180be6ed70846b61a3752, the helper is
invoked as a fallback when pam_modutil_getspnam() fails for any reason.

The ultimate solution for the case when pam_unix.so does not have
permissions to obtain the shadow password file entry is to stop trying
to use pam_modutil_getspnam() and to invoke the helper instead.
Here are two recent examples.

https://github.com/linux-pam/linux-pam/pull/484 describes a system
configuration where libnss_systemd is enabled along with libnss_files
in the shadow entry of nsswitch.conf, so when libnss_files is unable
to obtain the shadow password file entry for the root user, e.g. when
SELinux is enabled, NSS falls back to libnss_systemd which returns
a synthesized shadow password file entry for the root user, which
in turn locks the root user out.

https://bugzilla.redhat.com/show_bug.cgi?id=2150155 describes
essentially the same problem in a similar system configuration.

This commit is the final step in the direction of addressing the issue:
for password verification pam_unix.so now invokes the helper instead of
making the pam_modutil_getspnam() call.

* modules/pam_unix/passverify.c (get_account_info) [!HELPER_COMPILE]:
Always return PAM_UNIX_RUN_HELPER instead of trying to obtain
the shadow password file entry.

Complements: https://github.com/linux-pam/linux-pam/pull/386
Resolves: https://github.com/linux-pam/linux-pam/pull/484
Link: https://github.com/authselect/authselect/commit/1e78f7e048747024a846fd22d68afc6993734e92

76af638... by =?utf-8?q?Christian_G=C3=B6ttsche?= <email address hidden> on 2024-01-04

pam_timestamp: correct failure condition

Bail out on NULL pointer, not otherwise.

Reported by cppcheck.

Fixes: 8a3f0810 ("Y2038: use logind instead of utmp")

8a400c3... by =?utf-8?q?Christian_G=C3=B6ttsche?= <email address hidden> on 2024-01-04

pam_filter: drop invalid tty hack

The open(3) flag O_NOCTTY does not detach the calling process from the
opened file descriptor, like TIOCNOTTY, see tty(4), does.

Drop the invalid hack to avoid the file descriptor being leaked.

Reported by cppcheck.

4fbed4b... by =?utf-8?q?Christian_G=C3=B6ttsche?= <email address hidden> on 2024-01-04

tests: avoid NULL dereference in error branch

Reported by cppcheck.

9213863... by =?utf-8?q?Christian_G=C3=B6ttsche?= <email address hidden> on 2024-01-04

pam_timestamp: fix condition order

Check the array index first before dereferencing the array.
Also convert the index type to size_t to avoid casting.

Reported by cppcheck.

4f0cf2e... by =?utf-8?q?Christian_G=C3=B6ttsche?= <email address hidden> on 2024-01-04

libpamc/test: fix assignment

Assign the error code instead of performing a no-op comparison.

Reported by cppcheck.

b1e446f... by =?utf-8?q?Christian_G=C3=B6ttsche?= <email address hidden> on 2024-01-04

libpamc/test: pipe deallocation mismatch

Close pipes opened via popen(3) with pclose(3).
Also close the pipe in error branches.

Reported by cppcheck.

9893308... by Tobias Stoeckmann <email address hidden> on 2024-01-03

pam_listfile: use getline

Signed-off-by: Tobias Stoeckmann <email address hidden>

73d009e... by Tobias Stoeckmann <email address hidden> on 2024-01-02

pam_unix: use getline

Signed-off-by: Tobias Stoeckmann <email address hidden>

b285652... by Tobias Stoeckmann <email address hidden> on 2024-01-02

pam_xauth: use getline

Signed-off-by: Tobias Stoeckmann <email address hidden>