-
Notifications
You must be signed in to change notification settings - Fork 25
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
7 changed files
with
218 additions
and
44 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
From 0e9b286afe1224b91ff00936058b084ad4b776e4 Mon Sep 17 00:00:00 2001 | ||
From: ikerexxe <ipedrosa@redhat.com> | ||
Date: Tue, 16 Jun 2020 14:44:04 +0200 | ||
Subject: [PATCH] pam_usertype: avoid determining if user exists | ||
|
||
Taking a look at the time for the password prompt to appear it was | ||
possible to determine if a user existed in a system. Solved it by | ||
matching the runtime until the password prompt was shown by always | ||
checking the password hash for an existing and a non-existing user. | ||
|
||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598 | ||
--- | ||
modules/pam_usertype/pam_usertype.c | 3 +++ | ||
1 file changed, 3 insertions(+) | ||
|
||
diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c | ||
index 2807c306..d03b73b5 100644 | ||
--- a/modules/pam_usertype/pam_usertype.c | ||
+++ b/modules/pam_usertype/pam_usertype.c | ||
@@ -139,8 +139,11 @@ pam_usertype_get_uid(struct pam_usertype_opts *opts, | ||
"error retrieving information about user %s", username); | ||
} | ||
|
||
+ pam_modutil_getpwnam(pamh, "root"); | ||
+ | ||
return PAM_USER_UNKNOWN; | ||
} | ||
+ pam_modutil_getpwnam(pamh, "pam_usertype_non_existent:"); | ||
|
||
*_uid = pwd->pw_uid; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
From 395915dae1571e10e2766c999974de864655ea3a Mon Sep 17 00:00:00 2001 | ||
From: ikerexxe <ipedrosa@redhat.com> | ||
Date: Mon, 15 Jun 2020 09:52:11 +0200 | ||
Subject: [PATCH] pam_faillock: change /run/faillock/$USER permissions to 0660 | ||
|
||
Nowadays, /run/faillock/$USER files have user:root ownership and 0600 | ||
permissions. This forces the process that writes to these files to have | ||
CAP_DAC_OVERRIDE capabilites. Just by changing the permissions to 0660 | ||
the capability can be removed, which leads to a more secure system. | ||
|
||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1661822 | ||
--- | ||
modules/pam_faillock/faillock.c | 14 +++++++++++++- | ||
1 file changed, 13 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/modules/pam_faillock/faillock.c b/modules/pam_faillock/faillock.c | ||
index e492f5f9..4ea94cbe 100644 | ||
--- a/modules/pam_faillock/faillock.c | ||
+++ b/modules/pam_faillock/faillock.c | ||
@@ -76,7 +76,7 @@ open_tally (const char *dir, const char *user, uid_t uid, int create) | ||
flags |= O_CREAT; | ||
} | ||
|
||
- fd = open(path, flags, 0600); | ||
+ fd = open(path, flags, 0660); | ||
|
||
free(path); | ||
|
||
@@ -88,6 +88,18 @@ open_tally (const char *dir, const char *user, uid_t uid, int create) | ||
if (st.st_uid != uid) { | ||
ignore_return(fchown(fd, uid, -1)); | ||
} | ||
+ | ||
+ /* | ||
+ * If umask is set to 022, as will probably in most systems, then the | ||
+ * group will not be able to write to the file. So, change the file | ||
+ * permissions just in case. | ||
+ * Note: owners of this file are user:root, so if the permissions are | ||
+ * not changed the root process writing to this file will require | ||
+ * CAP_DAC_OVERRIDE. | ||
+ */ | ||
+ if (!(st.st_mode & S_IWGRP)) { | ||
+ ignore_return(fchmod(fd, 0660)); | ||
+ } | ||
} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
From af0faf666c5008e54dfe43684f210e3581ff1bca Mon Sep 17 00:00:00 2001 | ||
From: ikerexxe <ipedrosa@redhat.com> | ||
Date: Tue, 16 Jun 2020 14:32:36 +0200 | ||
Subject: [PATCH] pam_unix: avoid determining if user exists | ||
|
||
Taking a look at the time for the password prompt to appear it was | ||
possible to determine if a user existed in a system. Solved it by | ||
matching the runtime until the password prompt was shown by always | ||
checking the password hash for an existing and a non-existing user. | ||
|
||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1629598 | ||
--- | ||
modules/pam_unix/passverify.c | 6 ++++++ | ||
modules/pam_unix/support.c | 33 ++++++++++++++++++++++++++------- | ||
2 files changed, 32 insertions(+), 7 deletions(-) | ||
|
||
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c | ||
index a571b4f7..7455eae6 100644 | ||
--- a/modules/pam_unix/passverify.c | ||
+++ b/modules/pam_unix/passverify.c | ||
@@ -1096,6 +1096,12 @@ helper_verify_password(const char *name, const char *p, int nullok) | ||
if (pwd == NULL || hash == NULL) { | ||
helper_log_err(LOG_NOTICE, "check pass; user unknown"); | ||
retval = PAM_USER_UNKNOWN; | ||
+ } else if (p[0] == '\0' && nullok) { | ||
+ if (hash[0] == '\0') { | ||
+ retval = PAM_SUCCESS; | ||
+ } else { | ||
+ retval = PAM_AUTH_ERR; | ||
+ } | ||
} else { | ||
retval = verify_pwd_hash(p, hash, nullok); | ||
} | ||
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c | ||
index 41db1f04..dc67238c 100644 | ||
--- a/modules/pam_unix/support.c | ||
+++ b/modules/pam_unix/support.c | ||
@@ -601,6 +601,8 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name | ||
char *salt = NULL; | ||
int daysleft; | ||
int retval; | ||
+ int execloop = 1; | ||
+ int nonexistent = 1; | ||
|
||
D(("called")); | ||
|
||
@@ -624,14 +626,31 @@ _unix_blankpasswd (pam_handle_t *pamh, unsigned long long ctrl, const char *name | ||
|
||
/* UNIX passwords area */ | ||
|
||
- retval = get_pwd_hash(pamh, name, &pwd, &salt); | ||
+ /* | ||
+ * Execute this loop twice: one checking the password hash of an existing | ||
+ * user and another one for a non-existing user. This way the runtimes | ||
+ * are equal, making it more difficult to differentiate existing from | ||
+ * non-existing users. | ||
+ */ | ||
+ while (execloop) { | ||
+ retval = get_pwd_hash(pamh, name, &pwd, &salt); | ||
|
||
- if (retval == PAM_UNIX_RUN_HELPER) { | ||
- /* salt will not be set here so we can return immediately */ | ||
- if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS) | ||
- return 1; | ||
- else | ||
- return 0; | ||
+ if (retval == PAM_UNIX_RUN_HELPER) { | ||
+ execloop = 0; | ||
+ if(nonexistent) { | ||
+ get_pwd_hash(pamh, "pam_unix_non_existent:", &pwd, &salt); | ||
+ } | ||
+ /* salt will not be set here so we can return immediately */ | ||
+ if (_unix_run_helper_binary(pamh, NULL, ctrl, name) == PAM_SUCCESS) | ||
+ return 1; | ||
+ else | ||
+ return 0; | ||
+ } else if (retval == PAM_USER_UNKNOWN) { | ||
+ name = "root"; | ||
+ nonexistent = 0; | ||
+ } else { | ||
+ execloop = 0; | ||
+ } | ||
} | ||
|
||
/* Does this user have a password? */ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
d /run/faillock 0755 root root - |
This file was deleted.
Oops, something went wrong.