Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dird: Add PAM authorization #1115

Merged
merged 7 commits into from
Mar 11, 2022
Merged

dird: Add PAM authorization #1115

merged 7 commits into from
Mar 11, 2022

Conversation

arogge
Copy link
Member

@arogge arogge commented Mar 10, 2022
edited by pstorz
Loading

Add authorization checks to PAM login and fix a memory leak in PAM login routines.

Please check

  • Short description and the purpose of this PR is present above this paragraph
  • Your name is present in the AUTHORS file (optional)

If you have any questions or problems, please give a comment in the PR.

Helpful documentation and best practices

Checklist for the reviewer of the PR (will be processed by the Bareos team)

General
  • PR name is meaningful
  • Purpose of the PR is understood
  • Separate commit for this PR in the CHANGELOG.md, PR number referenced is same
  • Commit descriptions are understandable and well formatted
Source code quality
  • Source code changes are understandable
  • Variable and function names are meaningful
  • Code comments are correct (logically and spelling)
  • Required documentation changes are present and part of the PR
  • bareos-check-sources --since-merge does not report any problems
  • git status should not report modifications in the source tree after building and testing

@pstorz pstorz self-requested a review March 11, 2022 08:47
@pstorz pstorz changed the title Add PAM authorization dird: Add PAM authorization Mar 11, 2022
pstorz
pstorz requested changes Mar 11, 2022
View reviewed changes
Copy link
Member

@pstorz pstorz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good work!

  • bareos-check-sources found some small changes, maybe they can be merged into the changing commits,
  • As we now have the CVE Numbers that might make sense to refer to them.

CHANGELOG.md Outdated Show resolved Hide resolved
@arogge
systemtest: fix pam tests
2c82a19 
The PAM tests weren't enabled since the Python 3 transition renamed
PYTHON to PYTHON_EXECUTABLE. This is now fixed.
We also detect ASan builds and prepend the library to LD_PRELOAD so the
tests will work in such an environment.
@arogge
dir: fix memory-leak on failed PAM authentication
e8e7998 
Fixes CVE-2022-24756
@arogge
systemtests: prepare PAM tests for account checks
21f80cc 
This adapts the two PAM tests to work correctly with the upcoming
account checks. The test bconsole-pam will also check that authorization
is checked correctly (which is not yet the case, so the test currently
fails).
@arogge
dir: check account authorization during PAM login
abe4620 
Fixes CVE-2022-24755

Previously, when a user logged in via PAM, Bareos did only check for
authentication (i.e. the "auth" section in PAM). No authorization checks
were made (the "account" section in PAM). This patch now adds the proper
check.
This will break existing PAM configuration!
@arogge
docs: update PAM configuration
f4ccb86 
Add an account section to the example and describe what has changed and
what users should do to be able to login again.
@arogge arogge requested a review from pstorz March 11, 2022 10:08
@arogge arogge mentioned this pull request Mar 11, 2022
Merged
17 tasks
@arogge arogge merged commit 4be8081 into bareos:master Mar 11, 2022
@arogge arogge deleted the dev/arogge/master/fix-pam branch March 11, 2022 14:23
This was referenced Mar 11, 2022
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pstorz pstorz pstorz approved these changes

Assignees
No one assigned
Labels
requires backport to 19.2 requires backport to 20 requires backport to 21
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@arogge @pstorz @joergsteffens