OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
PAM list: Patch to allow pam_listfile file=/dev/null

Patch to allow pam_listfile file=/dev/null

Subject: Patch to allow pam_listfile file=/dev/null
From: Karl O. Pinc (kopmeme.com)
Date: Fri Dec 31 1999 - 03:20:26 CST

I want a convenient way to ensure that root will be able to login. The
natural solution is to put a "guard" check into my pam configuration file,
a line that always allows root in; no matter what silly authentication
requirements might follow. (Naturally, you want your "guard" line to be
after root has supplied sufficent authentication.) A similar strategy is
used to allow root indescrimiate use of su in the standard redhat pam
config files.

I use pam_listfile as my "guard" line. Of course, I could write a pam_user
module, a module that would take a user name as an argument and succeed
whenever the user attempting to login is the given user, but pam_listfile
already handles the more general case quite nicely. You tell pam_listfile
to look up root in an empty file, implimenting /etc/ftpaccess style
permission checking on the empty file. Because the file's empty, root is
always granted access; good. Except that pam_listfile won't allow
file=/dev/null, you have to actually make an empty file -- and be sure it
stays empty(ish).

The following (presently illegal) configuration file fragment for
/etc/pam.d/login tells the story:

# The next line ensures that root can get in even when root's not
# in an allowed group! (The checks applied to root stop here!)
auth sufficient /lib/security/pam_listfile.so \
                                  item=tty onerr=succeed \
                                  sense=deny file=/dev/null apply=root
# grant access to just those in groups in /etc/group.d/loginallowed
auth required /lib/security/pam_listfile.so \
                                  item=group onerr=fail \
                                  sense=allow file=/etc/group.d/loginallowed

Yes, a custom module would be more efficent. But I don't think such a
module would improve pam configuration readability by much. The "guard"
technique would still require an idiom be recognized and learned. (In
fact, I'd like to see this idiom in an example in the documentation. While
I'm on the subject, an example with a control-flag [value=action] would
have saved me a big stupid.)

The following patch allows /dev/null to be used as a value for "file=", and
makes the above configuration legal:

(Apply patch from the Linux-PAM-0.72 directory with "patch -p 1
<<patchfile". Also, the original code had tabs in it. I don't know how
well the tabs mailed.)

------------------------------<snip patch here>----------------------------
--- Linux-PAM-0.72.orig/modules/pam_listfile/pam_listfile.c Sat Dec 26
22:04:22 1998
+++ Linux-PAM-0.72/modules/pam_listfile/pam_listfile.c Fri Dec 31 02:07:45
1999
-6,6 +6,7
 /*
  * by Elliot Lee <sopwithredhat.com>, Red Hat Software. July 25, 1996.
  * log refused access error christopher mccrory <chrismccnetus.com> 1998/7/11
+ * file=/dev/null allowed by Karl O. Pinc <kopmeme.com> 1999/12/31
  *
  * This code began life as the pam_rootok module.
  */
-337,19 +338,21
              "Got file = %s, item = %d, value = %s, sense = %d",
              ifname, citem, citemp, sense);
 #endif
- if(lstat(ifname,&fileinfo)) {
- _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "Couldn't open %s",ifname);
- return onerr;
- }
-
- if((fileinfo.st_mode & S_IWOTH)
- || !S_ISREG(fileinfo.st_mode)) {
- /* If the file is world writable or is not a
- normal file, return error */
- _pam_log(LOG_ERR,LOCAL_LOG_PREFIX
- "%s is either world writable or not a normal file",
- ifname);
- return PAM_AUTH_ERR;
+ if(!strcmp(ifname,"/dev/null")) {
+ if(lstat(ifname,&fileinfo)) {
+ _pam_log(LOG_ERR,LOCAL_LOG_PREFIX "Couldn't open %s",ifname);
+ return onerr;
+ }
+
+ if((fileinfo.st_mode & S_IWOTH)
+ || !S_ISREG(fileinfo.st_mode)) {
+ /* If the file is world writable or is not a
+ normal file, return error */
+ _pam_log(LOG_ERR,LOCAL_LOG_PREFIX
+ "%s is either world writable or not a normal file",
+ ifname);
+ return PAM_AUTH_ERR;
+ }
     }

     inf = fopen(ifname,"r"); 

-- 
To unsubscribe: mail -s unsubscribe pam-list-requestredhat.com < /dev/null

This archive was generated by hypermail 2b27 : Fri Dec 31 1999 - 03:21:08 CST