Hello community, here is the log from the commit of package pam_u2f for openSUSE:Factory checked in at 2019-06-05 11:46:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam_u2f (Old) and /work/SRC/openSUSE:Factory/.pam_u2f.new.5148 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_u2f" Wed Jun 5 11:46:28 2019 rev:6 rq:707661 version:1.0.8 Changes: -------- --- /work/SRC/openSUSE:Factory/pam_u2f/pam_u2f.changes 2018-05-16 11:44:08.290741935 +0200 +++ /work/SRC/openSUSE:Factory/.pam_u2f.new.5148/pam_u2f.changes 2019-06-05 11:46:35.142989450 +0200 @@ -1,0 +2,9 @@ +Tue Jun 4 13:19:36 UTC 2019 - Karol Babioch <[email protected]> + +- Version 1.0.8 (released 2019-06-04) + * Fix insecure debug file handling CVE-2019-12209 (bsc#1135729). + * Fix debug file descriptor leak CVE-2019-12210 (bsc#1135727). + * Fix a non-critical buffer oob access. +- Applied spec-cleaner + +------------------------------------------------------------------- Old: ---- pam_u2f-1.0.7.tar.gz pam_u2f-1.0.7.tar.gz.sig New: ---- pam_u2f-1.0.8.tar.gz pam_u2f-1.0.8.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_u2f.spec ++++++ --- /var/tmp/diff_new_pack.XO4s2k/_old 2019-06-05 11:46:36.090989212 +0200 +++ /var/tmp/diff_new_pack.XO4s2k/_new 2019-06-05 11:46:36.090989212 +0200 @@ -1,7 +1,7 @@ # # spec file for package pam_u2f # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,25 +12,24 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: pam_u2f -Version: 1.0.7 +Version: 1.0.8 Release: 0 Summary: U2F authentication integration into PAM License: BSD-2-Clause Group: Productivity/Networking/Security -Url: https://developers.yubico.com +URL: https://developers.yubico.com Source0: https://developers.yubico.com/pam-u2f/Releases/%{name}-%{version}.tar.gz Source1: https://developers.yubico.com/pam-u2f/Releases/%{name}-%{version}.tar.gz.sig Source2: baselib.conf BuildRequires: pam-devel -BuildRequires: pkg-config +BuildRequires: pkgconfig BuildRequires: pkgconfig(u2f-host) BuildRequires: pkgconfig(u2f-server) -BuildRoot: %{_tmppath}/%{name}-%{version}-build %description The PAM U2F module provides a way to integrate the Yubikey @@ -49,8 +48,8 @@ find %{buildroot} -type f -name "*.la" -delete -print %files -%defattr(-,root,root,-) -%doc AUTHORS COPYING NEWS ChangeLog README +%license COPYING +%doc AUTHORS NEWS ChangeLog README %{_bindir}/pamu2fcfg %{_mandir}/man?/* /%{_lib}/security/pam_u2f.so ++++++ pam_u2f-1.0.7.tar.gz -> pam_u2f-1.0.8.tar.gz ++++++ ++++ 2782 lines of diff (skipped) ++++ retrying with extended exclude list diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/ChangeLog new/pam_u2f-1.0.8/ChangeLog --- old/pam_u2f-1.0.7/ChangeLog 2018-05-15 10:54:03.000000000 +0200 +++ new/pam_u2f-1.0.8/ChangeLog 2019-06-04 13:05:52.000000000 +0200 @@ -1,3 +1,50 @@ +2019-06-04 Alessio Di Mauro <[email protected]> + + * NEWS: Update NEWS file + +2019-06-04 Alessio Di Mauro <[email protected]> + + * man/pam_u2f.8.txt: Update manual + +2019-06-04 Alessio Di Mauro <[email protected]> + + * : Merge PR #116 + +2019-06-04 Gabriel Kihlman <[email protected]> + + * Makefile.am, README, configure.ac, drop_privs.c, drop_privs.h, + pam-u2f.c: Drop privileges by default when opening user-related + files The module is typically executed as root and would sometimes open + files or follow symlinks that could be controlled from the outside. Drop privileges to the target user before opening any files. Fixes CVE-2019-12209. Thanks to Matthias Gerstner of the SUSE Security Team for reporting + the issue. + +2019-06-04 Gabriel Kihlman <[email protected]> + + * pam-u2f.c, util.c, util.h: Do not leak file descriptor when doing + exec When opening a custom debug file, the descriptor would stay open + when calling exec and leak to the child process. Make sure all files are opened with close-on-exec. This fixes CVE-2019-12210. Thanks to Matthias Gerstner of the SUSE Security Team for reporting + the issue. + +2019-04-01 Alessio Di Mauro <[email protected]> + + * : Merge pull request #115 from Yubico/malloc_debug Handle malloc failing when logging + +2018-07-23 Alessio Di Mauro <[email protected]> + + * README: Add more explicit dependencies to README Closes #101 + +2018-05-17 Alessio Di Mauro <[email protected]> + + * man/pam_u2f.8.txt: Fix typo in man page + +2018-05-17 Alessio Di Mauro <[email protected]> + + * : Merge PR 95 + +2018-05-15 Alessio Di Mauro <[email protected]> + + * NEWS, configure.ac: Bump version + 2018-05-15 Alessio Di Mauro <[email protected]> * NEWS: Update NEWS file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/Makefile.am new/pam_u2f-1.0.8/Makefile.am --- old/pam_u2f-1.0.7/Makefile.am 2018-04-27 17:20:14.000000000 +0200 +++ new/pam_u2f-1.0.8/Makefile.am 2019-06-04 11:28:00.000000000 +0200 @@ -13,6 +13,7 @@ pam_u2f_la_SOURCES = pam-u2f.c pam_u2f_la_SOURCES += util.c util.h +pam_u2f_la_SOURCES += drop_privs.h drop_privs.c pam_u2f_la_LIBADD = -lpam pam_u2f_la_LIBADD += $(LIBU2FHOST_LIBS) $(LIBU2FSERVER_LIBS) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/NEWS new/pam_u2f-1.0.8/NEWS --- old/pam_u2f-1.0.7/NEWS 2018-05-15 10:39:51.000000000 +0200 +++ new/pam_u2f-1.0.8/NEWS 2019-06-04 12:37:52.000000000 +0200 @@ -2,6 +2,12 @@ pam-u2f NEWS -- History of user-visible changes. -*- outline -*- +* Version 1.0.8 (released 2019-06-04) + ** Fix debug file descriptor leak CVE-2019-12210. + ** Fix insecure debug file handling CVE-2019-12209. + Both reported by Matthias Gerstner of the SUSE Security Team. + ** Fix a non-critical buffer oob access. + * Version 1.0.7 (released 2018-05-15) ** Add authpending_file to signal authentication activity ** Add nodetect to skip to avoid unnecessary cue messages diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/README new/pam_u2f-1.0.8/README --- old/pam_u2f-1.0.7/README 2018-05-04 11:34:45.000000000 +0200 +++ new/pam_u2f-1.0.8/README 2019-06-04 11:28:00.000000000 +0200 @@ -45,7 +45,7 @@ 'Autoconf', 'automake', 'libtool', and 'libpam' must be installed. 'AsciiDoc' and 'xsltproc' are used to generate the manpages. - Debian: apt-get install autoconf automake libtool libpam-dev asciidoc xsltproc libxml2-utils docbook-xml --no-install-recommends + Debian: apt-get install autoconf automake libtool libpam-dev libu2f-host-dev libu2f-server-dev asciidoc xsltproc libxml2-utils docbook-xml --no-install-recommends Generate the build system using: @@ -114,6 +114,8 @@ Setuid to the authenticating user when opening the authfile. Useful when the user's home is stored on an NFS volume mounted with the root_squash option (which maps root to nobody which will not be able to read the file). +Note that after release 1.0.8 this is done by default when no global +authfile or XDG_CONFIG_HOME environment variable has been set. alwaysok:: Set to enable all authentication attempts to succeed (aka presentation mode). @@ -164,6 +166,11 @@ mappings are being used, the central authorization mappings file will not be used. +By default the mapping file inside a home directory will be opened as +the target user, whereas the central file will be opened as `root`. If +the `XDG_CONFIG_HOME` variable is set, privileges will not be dropped +unless the `openasuser` configuration setting is set. + IMPORTANT: Using pam-u2f to secure the login to a computer while storing the mapping file in an encrypted home directory, will result in the impossibility of logging into the system. The partition is @@ -184,6 +191,10 @@ auth sufficient pam_u2f.so authfile=/etc/u2f_mappings +If you do not set the `openasuser` setting, the authfile will be opened +and parsed as `root` so make sure it has the correct owner and +permissions set. + IMPORTANT: On dynamics networks (e.g. where hostnames are set by DHCP), users should not rely on the default origin and appid ("pam://$HOSTNAME") but set those parameters explicitly to the same value. @@ -197,6 +208,13 @@ This is much the same concept as the SSH authorized_keys file. +In this case, pam-u2f will drop privileges and read the mapping file +as that user. This happens regardless of the `openasuser` option being +set. + +Note that if you set the XDG_CONFIG_HOME variable, privileges will not +be dropped by default. Consider also setting `openasuser` in that case. + [[registration]] Obtaining key-handles and public keys ------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/build-aux/ar-lib new/pam_u2f-1.0.8/build-aux/ar-lib --- old/pam_u2f-1.0.7/build-aux/ar-lib 2018-05-15 10:53:18.000000000 +0200 +++ new/pam_u2f-1.0.8/build-aux/ar-lib 2019-06-04 12:49:07.000000000 +0200 @@ -4,7 +4,7 @@ me=ar-lib scriptversion=2012-03-01.08; # UTC -# Copyright (C) 2010-2017 Free Software Foundation, Inc. +# Copyright (C) 2010-2018 Free Software Foundation, Inc. # Written by Peter Rosin <[email protected]>. # # This program is free software; you can redistribute it and/or modify @@ -18,7 +18,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/build-aux/compile new/pam_u2f-1.0.8/build-aux/compile --- old/pam_u2f-1.0.7/build-aux/compile 2018-05-15 10:53:18.000000000 +0200 +++ new/pam_u2f-1.0.8/build-aux/compile 2019-06-04 12:49:07.000000000 +0200 @@ -1,9 +1,9 @@ #! /bin/sh # Wrapper for compilers which do not understand '-c -o'. -scriptversion=2012-10-14.11; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1999-2014 Free Software Foundation, Inc. +# Copyright (C) 1999-2018 Free Software Foundation, Inc. # Written by Tom Tromey <[email protected]>. # # This program is free software; you can redistribute it and/or modify @@ -17,7 +17,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -255,7 +255,8 @@ echo "compile $scriptversion" exit $? ;; - cl | *[/\\]cl | cl.exe | *[/\\]cl.exe ) + cl | *[/\\]cl | cl.exe | *[/\\]cl.exe | \ + icl | *[/\\]icl | icl.exe | *[/\\]icl.exe ) func_cl_wrapper "$@" # Doesn't return... ;; esac @@ -339,9 +340,9 @@ # Local Variables: # mode: shell-script # sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/build-aux/missing new/pam_u2f-1.0.8/build-aux/missing --- old/pam_u2f-1.0.7/build-aux/missing 2018-05-15 10:53:18.000000000 +0200 +++ new/pam_u2f-1.0.8/build-aux/missing 2019-06-04 12:49:07.000000000 +0200 @@ -1,9 +1,9 @@ #! /bin/sh # Common wrapper for a few potentially missing GNU programs. -scriptversion=2013-10-28.13; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 1996-2014 Free Software Foundation, Inc. +# Copyright (C) 1996-2018 Free Software Foundation, Inc. # Originally written by Fran,cois Pinard <[email protected]>, 1996. # This program is free software; you can redistribute it and/or modify @@ -17,7 +17,7 @@ # GNU General Public License for more details. # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -101,9 +101,9 @@ exit $st fi -perl_URL=http://www.perl.org/ -flex_URL=http://flex.sourceforge.net/ -gnu_software_URL=http://www.gnu.org/software +perl_URL=https://www.perl.org/ +flex_URL=https://github.com/westes/flex +gnu_software_URL=https://www.gnu.org/software program_details () { @@ -207,9 +207,9 @@ exit $st # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/build-aux/test-driver new/pam_u2f-1.0.8/build-aux/test-driver --- old/pam_u2f-1.0.7/build-aux/test-driver 2018-05-15 10:53:18.000000000 +0200 +++ new/pam_u2f-1.0.8/build-aux/test-driver 2019-06-04 12:49:07.000000000 +0200 @@ -1,9 +1,9 @@ #! /bin/sh # test-driver - basic testsuite driver script. -scriptversion=2013-07-13.22; # UTC +scriptversion=2018-03-07.03; # UTC -# Copyright (C) 2011-2014 Free Software Foundation, Inc. +# Copyright (C) 2011-2018 Free Software Foundation, Inc. # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -16,7 +16,7 @@ # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program. If not, see <http://www.gnu.org/licenses/>. +# along with this program. If not, see <https://www.gnu.org/licenses/>. # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -140,9 +140,9 @@ # Local Variables: # mode: shell-script # sh-indentation: 2 -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" -# time-stamp-time-zone: "UTC" +# time-stamp-time-zone: "UTC0" # time-stamp-end: "; # UTC" # End: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/configure.ac new/pam_u2f-1.0.8/configure.ac --- old/pam_u2f-1.0.7/configure.ac 2018-04-27 17:20:14.000000000 +0200 +++ new/pam_u2f-1.0.8/configure.ac 2019-06-04 11:28:00.000000000 +0200 @@ -1,6 +1,6 @@ # Copyright (C) 2014-2018 Yubico AB AC_PREREQ([2.65]) -AC_INIT([pam_u2f], [1.0.7], [https://github.com/Yubico/pam-u2f/issues], +AC_INIT([pam_u2f], [1.0.8], [https://github.com/Yubico/pam-u2f/issues], [pam_u2f], [https://developers.yubico.com/pam-u2f/]) AC_CONFIG_AUX_DIR([build-aux]) @@ -37,6 +37,8 @@ #include <security/pam_appl.h>]) AC_CHECK_LIB([pam], [pam_start]) +AC_SEARCH_LIBS([pam_modutil_drop_priv], ["pam"], [AC_DEFINE([HAVE_PAM_MODUTIL_DROP_PRIV], [1])]) + case "$host" in *darwin*) PAMDIR="/usr/lib/pam";; *linux*) PAMDIR="/lib/x86_64-linux-gnu/security";; @@ -71,6 +73,8 @@ AX_CHECK_COMPILE_FLAG([-Wall], [CWFLAGS="-Wall"]) AX_CHECK_COMPILE_FLAG([-Wextra], [CWFLAGS="$CWFLAGS -Wextra"]) AX_CHECK_COMPILE_FLAG([-Wconversion], [CWFLAGS="$CWFLAGS -Wconversion"]) +# Because pam headers are doing sign-conversion, see PAM_MODUTIL_DEF_PRIVS in pam_modutil.h +AX_CHECK_COMPILE_FLAG([-Wconversion], [CWFLAGS="$CWFLAGS -Wno-sign-conversion"]) AX_CHECK_COMPILE_FLAG([-Wpedantic], [CWFLAGS="$CWFLAGS -Wpedantic"]) AX_CHECK_COMPILE_FLAG([-Wformat=2], [CWFLAGS="$CWFLAGS -Wformat=2"]) AX_CHECK_COMPILE_FLAG([-Wstrict-prototypes], [CWFLAGS="$CWFLAGS -Wstrict-prototypes"]) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/drop_privs.c new/pam_u2f-1.0.8/drop_privs.c --- old/pam_u2f-1.0.7/drop_privs.c 1970-01-01 01:00:00.000000000 +0100 +++ new/pam_u2f-1.0.8/drop_privs.c 2019-06-04 11:28:00.000000000 +0200 @@ -0,0 +1,129 @@ +/* Written by Ricky Zhou <[email protected]> + * Fredrik Thulin <[email protected]> implemented pam_modutil_drop_priv + * + * Copyright (c) 2011-2014 Yubico AB + * Copyright (c) 2011 Ricky Zhou <[email protected]> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef HAVE_PAM_MODUTIL_DROP_PRIV + +#include <unistd.h> +#include <pwd.h> +#include <grp.h> +#include <errno.h> +#include <string.h> +#include <stdlib.h> + +#include "drop_privs.h" +#include "util.h" + +#ifdef HAVE_SECURITY_PAM_APPL_H +#include <security/pam_appl.h> +#endif +#ifdef HAVE_SECURITY_PAM_MODULES_H +#include <security/pam_modules.h> +#endif + + +int pam_modutil_drop_priv(pam_handle_t *pamh, struct _ykpam_privs *privs, struct passwd *pw) { + privs->saved_euid = geteuid(); + privs->saved_egid = getegid(); + + if ((privs->saved_euid == pw->pw_uid) && (privs->saved_egid == pw->pw_gid)) { + D (privs->debug_file, "Privilges already dropped, pretend it is all right"); + return 0; + } + + privs->saved_groups_length = getgroups(0, NULL); + if (privs->saved_groups_length < 0) { + D (privs->debug_file, "getgroups: %s", strerror(errno)); + return -1; + } + + if (privs->saved_groups_length > SAVED_GROUPS_MAX_LEN) { + D (privs->debug_file, "too many groups, limiting."); + privs->saved_groups_length = SAVED_GROUPS_MAX_LEN; + } + + if (privs->saved_groups_length > 0) { + if (getgroups(privs->saved_groups_length, privs->saved_groups) < 0) { + D (privs->debug_file, "getgroups: %s", strerror(errno)); + goto free_out; + } + } + + if (initgroups(pw->pw_name, pw->pw_gid) < 0) { + D (privs->debug_file, "initgroups: %s", strerror(errno)); + goto free_out; + } + + if (setegid(pw->pw_gid) < 0) { + D (privs->debug_file, "setegid: %s", strerror(errno)); + goto free_out; + } + + if (seteuid(pw->pw_uid) < 0) { + D (privs->debug_file, "seteuid: %s", strerror(errno)); + goto free_out; + } + + return 0; +free_out: + return -1; +} + +int pam_modutil_regain_priv(pam_handle_t *pamh, struct _ykpam_privs *privs) { + if ((privs->saved_euid == geteuid()) && (privs->saved_egid == getegid())) { + D (privs->debug_file, "Privilges already as requested, pretend it is all right"); + return 0; + } + + if (seteuid(privs->saved_euid) < 0) { + D (privs->debug_file, "seteuid: %s", strerror(errno)); + return -1; + } + + if (setegid(privs->saved_egid) < 0) { + D (privs->debug_file, "setegid: %s", strerror(errno)); + return -1; + } + + if (setgroups(privs->saved_groups_length, privs->saved_groups) < 0) { + D (privs->debug_file, "setgroups: %s", strerror(errno)); + return -1; + } + + return 0; +} + +#else + +// drop_privs.c:124: warning: ISO C forbids an empty translation unit [-Wpedantic] +typedef int make_iso_compilers_happy; + +#endif // HAVE_PAM_MODUTIL_DROP_PRIV diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/drop_privs.h new/pam_u2f-1.0.8/drop_privs.h --- old/pam_u2f-1.0.7/drop_privs.h 1970-01-01 01:00:00.000000000 +0100 +++ new/pam_u2f-1.0.8/drop_privs.h 2019-06-04 11:28:00.000000000 +0200 @@ -0,0 +1,64 @@ +/* Copyright (c) 2011-2014 Yubico AB + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials provided + * with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __PAM_U2F_DROP_PRIVS_H_INCLUDED__ +#define __PAM_U2F_DROP_PRIVS_H_INCLUDED__ + +#ifdef HAVE_PAM_MODUTIL_DROP_PRIV +#include <security/pam_modutil.h> +#else + +#include <pwd.h> +#include <stdio.h> + +#ifdef HAVE_SECURITY_PAM_APPL_H +#include <security/pam_appl.h> +#endif +#ifdef HAVE_SECURITY_PAM_MODULES_H +#include <security/pam_modules.h> +#endif + +#define SAVED_GROUPS_MAX_LEN 64 /* as pam_modutil.. */ + +struct _ykpam_privs { + uid_t saved_euid; + gid_t saved_egid; + gid_t *saved_groups; + int saved_groups_length; + FILE *debug_file; +}; + +#define PAM_MODUTIL_DEF_PRIVS(n) \ + gid_t n##_saved_groups[SAVED_GROUPS_MAX_LEN]; \ + struct _ykpam_privs n = {-1, -1, n##_saved_groups, SAVED_GROUPS_MAX_LEN, cfg->debug_file} + +int pam_modutil_drop_priv(pam_handle_t *, struct _ykpam_privs *, struct passwd *); +int pam_modutil_regain_priv(pam_handle_t *, struct _ykpam_privs *); + +#endif +#endif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/m4/libtool.m4 new/pam_u2f-1.0.8/m4/libtool.m4 --- old/pam_u2f-1.0.7/m4/libtool.m4 2018-05-15 10:53:17.000000000 +0200 +++ new/pam_u2f-1.0.8/m4/libtool.m4 2019-06-04 12:49:04.000000000 +0200 @@ -4063,7 +4063,8 @@ if AC_TRY_EVAL(ac_compile); then # Now try to grab the symbols. nlist=conftest.nm - if AC_TRY_EVAL(NM conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist) && test -s "$nlist"; then + $ECHO "$as_me:$LINENO: $NM conftest.$ac_objext | $lt_cv_sys_global_symbol_pipe > $nlist" >&AS_MESSAGE_LOG_FD + if eval "$NM" conftest.$ac_objext \| "$lt_cv_sys_global_symbol_pipe" \> $nlist 2>&AS_MESSAGE_LOG_FD && test -s "$nlist"; then # Try sorting and uniquifying the output. if sort "$nlist" | uniq > "$nlist"T; then mv -f "$nlist"T "$nlist" @@ -4703,6 +4704,12 @@ _LT_TAGVAR(lt_prog_compiler_pic, $1)='-KPIC' _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' ;; + # flang / f18. f95 an alias for gfortran or flang on Debian + flang* | f18* | f95*) + _LT_TAGVAR(lt_prog_compiler_wl, $1)='-Wl,' + _LT_TAGVAR(lt_prog_compiler_pic, $1)='-fPIC' + _LT_TAGVAR(lt_prog_compiler_static, $1)='-static' + ;; # icc used to be incompatible with GCC. # ICC 10 doesn't accept -KPIC any more. icc* | ifort*) @@ -6438,7 +6445,7 @@ # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' else GXX=no @@ -6813,7 +6820,7 @@ # explicitly linking system object files so we need to strip them # from the output so that they don't get included in the library # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $EGREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' ;; *) if test yes = "$GXX"; then @@ -6878,7 +6885,7 @@ # explicitly linking system object files so we need to strip them # from the output so that they don't get included in the library # dependencies. - output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP "\-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' + output_verbose_link_cmd='templist=`($CC -b $CFLAGS -v conftest.$objext 2>&1) | $GREP " \-L"`; list= ; for z in $templist; do case $z in conftest.$objext) list="$list $z";; *.$objext);; *) list="$list $z";;esac; done; func_echo_all "$list"' ;; *) if test yes = "$GXX"; then @@ -7217,7 +7224,7 @@ # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' else # FIXME: insert proper C++ library support @@ -7301,7 +7308,7 @@ # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -shared $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' else # g++ 2.7 appears to require '-G' NOT '-shared' on this # platform. @@ -7312,7 +7319,7 @@ # Commands to make compiler produce verbose output that lists # what "hidden" libraries, object files and flags are used when # linking a shared library. - output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP "\-L"' + output_verbose_link_cmd='$CC -G $CFLAGS -v conftest.$objext 2>&1 | $GREP -v "^Configured with:" | $GREP " \-L"' fi _LT_TAGVAR(hardcode_libdir_flag_spec, $1)='$wl-R $wl$libdir' diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/man/pam_u2f.8 new/pam_u2f-1.0.8/man/pam_u2f.8 --- old/pam_u2f-1.0.7/man/pam_u2f.8 2018-05-11 15:23:04.000000000 +0200 +++ new/pam_u2f-1.0.8/man/pam_u2f.8 2019-06-04 12:58:29.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: pam_u2f .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: Version 1.0.6 +.\" Date: Version 1.0.8 .\" Manual: PAM U2F Module Manual .\" Source: pam-u2f .\" Language: English .\" -.TH "PAM_U2F" "8" "Version 1\&.0\&.6" "pam\-u2f" "PAM U2F Module Manual" +.TH "PAM_U2F" "8" "Version 1\&.0\&.8" "pam\-u2f" "PAM U2F Module Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -64,7 +64,7 @@ .PP \fBauthpending_file\fR=\fIfile\fR .RS 4 -Set the location of the file that is used for touch request notifications\&. This file will be opened when pam\-u2f starts waiting for a user to touch the device, and will be closed when it no longer waits for a touch\&. Use inotify to listen on these events, or a more high\-level tool like yubikey\-touch\-detector\&. Default value: /var/run/user/$UID/pam\-u2f\-authpending\&. Set an empty value in order to disable this functionality, like so: lockfile= +Set the location of the file that is used for touch request notifications\&. This file will be opened when pam\-u2f starts waiting for a user to touch the device, and will be closed when it no longer waits for a touch\&. Use inotify to listen on these events, or a more high\-level tool like yubikey\-touch\-detector\&. Default value: /var/run/user/$UID/pam\-u2f\-authpending\&. Set an empty value in order to disable this functionality, like so: "authpending_file="\&. .RE .PP \fBnouserok\fR @@ -74,7 +74,7 @@ .PP \fBopenasuser\fR .RS 4 -Setuid to the authenticating user when opening the authfile\&. Useful when the user\(cqs home is stored on an NFS volume mounted with the root_squash option (which maps root to nobody which will not be able to read the file)\&. +Setuid to the authenticating user when opening the authfile\&. Useful when the user\(cqs home is stored on an NFS volume mounted with the root_squash option (which maps root to nobody which will not be able to read the file)\&. Note that after release 1\&.0\&.8 this is done by default when no global authfile or XDG_CONFIG_HOME environment variable has been set\&. .RE .PP \fBalwaysok\fR @@ -120,6 +120,8 @@ auth required pam_u2f\&.so origin=http://example\&.com appid=http://example\&.com authfile=/etc/yubikey_mappings .SH "CAVEATS" .sp +By default the mapping file inside a home directory will be opened as the target user, whereas the central file will be opened as root\&. If the XDG_CONFIG_HOME variable is set, privileges will not be dropped unless the openasuser configuration setting is set\&. +.sp Using pam\-u2f to secure the login to a computer while storing the mapping file in an encrypted home directory, will result in the impossibility of logging into the system\&. The partition is decrypted after login and the mapping file can not be accessed\&. .SH "NOTES" .sp diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/man/pam_u2f.8.txt new/pam_u2f-1.0.8/man/pam_u2f.8.txt --- old/pam_u2f-1.0.7/man/pam_u2f.8.txt 2018-05-02 12:31:58.000000000 +0200 +++ new/pam_u2f-1.0.8/man/pam_u2f.8.txt 2019-06-04 12:54:09.000000000 +0200 @@ -30,13 +30,14 @@ Set the location of the file that holds the mappings of user names to keyHandles and user keys. The format is username:keyHandle1,public_key1:keyHandle2,public_key2:... the default location of the file is $XDG_CONFIG_HOME/Yubico/u2f_keys. If the environment variable is not set, $HOME/.config/Yubico/u2f_keys is used. *authpending_file*=_file_:: -Set the location of the file that is used for touch request notifications. This file will be opened when pam-u2f starts waiting for a user to touch the device, and will be closed when it no longer waits for a touch. Use inotify to listen on these events, or a more high-level tool like yubikey-touch-detector. Default value: /var/run/user/$UID/pam-u2f-authpending. Set an empty value in order to disable this functionality, like so: lockfile= +Set the location of the file that is used for touch request notifications. This file will be opened when pam-u2f starts waiting for a user to touch the device, and will be closed when it no longer waits for a touch. Use inotify to listen on these events, or a more high-level tool like yubikey-touch-detector. Default value: /var/run/user/$UID/pam-u2f-authpending. Set an empty value in order to disable this functionality, like so: "authpending_file=". *nouserok*:: Set to enable authentication attempts to succeed even if the user trying to authenticate is not found inside authfile or if authfile is missing/malformed. *openasuser*:: Setuid to the authenticating user when opening the authfile. Useful when the user's home is stored on an NFS volume mounted with the root_squash option (which maps root to nobody which will not be able to read the file). +Note that after release 1.0.8 this is done by default when no global authfile or XDG_CONFIG_HOME environment variable has been set. *alwaysok*:: Set to enable all authentication attempts to succeed (aka presentation mode). @@ -68,6 +69,11 @@ auth required pam_u2f.so origin=http://example.com appid=http://example.com authfile=/etc/yubikey_mappings == CAVEATS +By default the mapping file inside a home directory will be opened as +the target user, whereas the central file will be opened as `root`. If +the `XDG_CONFIG_HOME` variable is set, privileges will not be dropped +unless the `openasuser` configuration setting is set. + Using pam-u2f to secure the login to a computer while storing the mapping file in an encrypted home directory, will result in the impossibility of logging into the system. The partition is diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/man/pamu2fcfg.1 new/pam_u2f-1.0.8/man/pamu2fcfg.1 --- old/pam_u2f-1.0.7/man/pamu2fcfg.1 2018-05-02 12:27:58.000000000 +0200 +++ new/pam_u2f-1.0.8/man/pamu2fcfg.1 2019-06-04 12:49:24.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: pamu2fcfg .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: Version 1.0.6 +.\" Date: Version 1.0.8 .\" Manual: PAM U2F Configuration Tool .\" Source: pamu2fcfg .\" Language: English .\" -.TH "PAMU2FCFG" "1" "Version 1\&.0\&.6" "pamu2fcfg" "PAM U2F Configuration Tool" +.TH "PAMU2FCFG" "1" "Version 1\&.0\&.8" "pamu2fcfg" "PAM U2F Configuration Tool" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/pam-u2f.c new/pam_u2f-1.0.8/pam-u2f.c --- old/pam_u2f-1.0.7/pam-u2f.c 2018-05-02 12:31:58.000000000 +0200 +++ new/pam_u2f-1.0.8/pam-u2f.c 2019-06-04 11:28:00.000000000 +0200 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2018 Yubico AB - See COPYING + * Copyright (C) 2014-2019 Yubico AB - See COPYING */ /* Define which PAM interfaces we provide */ @@ -20,6 +20,7 @@ #include <errno.h> #include "util.h" +#include "drop_privs.h" /* If secure_getenv is not defined, define it here */ #ifndef HAVE_SECURE_GETENV @@ -31,7 +32,11 @@ #endif static void parse_cfg(int flags, int argc, const char **argv, cfg_t *cfg) { + struct stat st; + FILE *file = NULL; + int fd = -1; int i; + memset(cfg, 0, sizeof(cfg_t)); cfg->debug_file = stderr; @@ -76,14 +81,14 @@ cfg->debug_file = (FILE *)-1; } else { - struct stat st; - FILE *file; - if(lstat(filename, &st) == 0) { - if(S_ISREG(st.st_mode)) { - file = fopen(filename, "a"); - if(file != NULL) { - cfg->debug_file = file; - } + fd = open(filename, O_WRONLY | O_APPEND | O_CLOEXEC | O_NOFOLLOW | O_NOCTTY); + if (fd >= 0 && (fstat(fd, &st) == 0) && S_ISREG(st.st_mode)) { + file = fdopen(fd, "a"); + if(file != NULL) { + cfg->debug_file = file; + cfg->is_custom_debug_file = 1; + file = NULL; + fd = -1; } } } @@ -111,6 +116,12 @@ D(cfg->debug_file, "appid=%s", cfg->appid ? cfg->appid : "(null)"); D(cfg->debug_file, "prompt=%s", cfg->prompt ? cfg->prompt : "(null)"); } + + if (fd != -1) + close(fd); + + if (file != NULL) + fclose(file); } #ifdef DBG @@ -138,11 +149,12 @@ int retval = PAM_IGNORE; device_t *devices = NULL; unsigned n_devices = 0; - int openasuser; + int openasuser = 0; int should_free_origin = 0; int should_free_appid = 0; int should_free_auth_file = 0; int should_free_authpending_file = 0; + PAM_MODUTIL_DEF_PRIVS(privs); parse_cfg(flags, argc, argv, cfg); @@ -225,6 +237,9 @@ goto done; } + /* Opening a file in a users $HOME, need to drop privs for security */ + openasuser = geteuid() == 0 ? 1 : 0; + snprintf(buf, authfile_dir_len, "%s/.config%s", pw->pw_dir, DEFAULT_AUTHFILE); } else { @@ -240,9 +255,14 @@ snprintf(buf, authfile_dir_len, "%s%s", authfile_dir, DEFAULT_AUTHFILE); + + if (!openasuser) { + DBG("WARNING: not dropping privileges when reading %s, please " + "consider setting openasuser=1 in the module configuration", buf); + } } - DBG("Using default authentication file %s", buf); + DBG("Using authentication file %s", buf); cfg->auth_file = buf; /* cfg takes ownership */ should_free_auth_file = 1; @@ -251,25 +271,28 @@ DBG("Using authentication file %s", cfg->auth_file); } - openasuser = geteuid() == 0 && cfg->openasuser; + if (!openasuser) { + openasuser = geteuid() == 0 && cfg->openasuser; + } if (openasuser) { - if (seteuid(pw_s.pw_uid)) { - DBG("Unable to switch user to uid %i", pw_s.pw_uid); + DBG("Dropping privileges"); + if (pam_modutil_drop_priv(pamh, &privs, pw)) { + DBG("Unable to switch user to uid %i", pw->pw_uid); retval = PAM_IGNORE; goto done; } - DBG("Switched to uid %i", pw_s.pw_uid); + DBG("Switched to uid %i", pw->pw_uid); } retval = get_devices_from_authfile(cfg->auth_file, user, cfg->max_devs, cfg->debug, cfg->debug_file, devices, &n_devices); if (openasuser) { - if (seteuid(0)) { - DBG("Unable to switch back to uid 0"); + if (pam_modutil_regain_priv(pamh, &privs)) { + DBG("could not restore privileges"); retval = PAM_IGNORE; goto done; } - DBG("Switched back to uid 0"); + DBG("Restored privileges"); } if (retval != 1) { @@ -317,7 +340,8 @@ DBG("Using file '%s' for emitting touch request notifications", cfg->authpending_file); // Open (or create) the authpending_file to indicate that we start waiting for a touch - authpending_file_descriptor = open(cfg->authpending_file, O_RDONLY | O_CREAT, 0664); + authpending_file_descriptor = + open(cfg->authpending_file, O_RDONLY | O_CREAT | O_CLOEXEC | O_NOFOLLOW | O_NOCTTY, 0664); if (authpending_file_descriptor < 0) { DBG("Unable to emit 'authentication started' notification by opening the file '%s', (%s)", cfg->authpending_file, strerror(errno)); @@ -385,6 +409,10 @@ } DBG("done. [%s]", pam_strerror(pamh, retval)); + if (cfg->is_custom_debug_file) { + fclose(cfg->debug_file); + } + return retval; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/util.c new/pam_u2f-1.0.8/util.c --- old/pam_u2f-1.0.7/util.c 2018-05-02 12:31:58.000000000 +0200 +++ new/pam_u2f-1.0.8/util.c 2019-06-04 11:28:00.000000000 +0200 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2018 Yubico AB - See COPYING + * Copyright (C) 2014-2019 Yubico AB - See COPYING */ #include "util.h" @@ -36,7 +36,7 @@ /* Ensure we never return uninitialized count. */ *n_devs = 0; - fd = open(authfile, O_RDONLY, 0); + fd = open(authfile, O_RDONLY | O_CLOEXEC | O_NOCTTY); if (fd < 0) { if (verbose) D(debug_file, "Cannot open file: %s (%s)", authfile, strerror(errno)); @@ -83,6 +83,8 @@ if (verbose) D(debug_file, "fdopen: %s", strerror(errno)); goto err; + } else { + fd = -1; /* fd belongs to opwfile */ } buf = malloc(sizeof(char) * (DEVSIZE * max_devs)); @@ -95,8 +97,9 @@ retval = -2; while (fgets(buf, (int)(DEVSIZE * (max_devs - 1)), opwfile)) { char *saveptr = NULL; - if (buf[strlen(buf) - 1] == '\n') - buf[strlen(buf) - 1] = '\0'; + size_t len = strlen(buf); + if (len > 0 && buf[len - 1] == '\n') + buf[len - 1] = '\0'; if (verbose) D(debug_file, "Authorization line: %s", buf); @@ -119,17 +122,17 @@ i = 0; while ((s_token = strtok_r(NULL, ",", &saveptr))) { - devices[i].keyHandle = NULL; - devices[i].publicKey = NULL; - - if ((*n_devs)++ > MAX_DEVS - 1) { - *n_devs = MAX_DEVS; + if ((*n_devs)++ > max_devs - 1) { + *n_devs = max_devs; if (verbose) D(debug_file, "Found more than %d devices, ignoring the remaining ones", - MAX_DEVS); + max_devs); break; } + devices[i].keyHandle = NULL; + devices[i].publicKey = NULL; + if (verbose) D(debug_file, "KeyHandle for device number %d: %s", i + 1, s_token); @@ -211,8 +214,10 @@ if (opwfile) fclose(opwfile); - else if (fd >= 0) + + if (fd != -1) close(fd); + return retval; } @@ -294,6 +299,9 @@ return retval; } + if (cfg->nodetect && cfg->debug) + D(cfg->debug_file, "nodetect option specified, suitable key detection will be skipped"); + i = 0; while (i < n_devs) { @@ -328,9 +336,6 @@ if (cfg->nodetect || (h_rc = u2fh_authenticate(devs, buf, cfg->origin, &response, 0)) == U2FH_OK ) { - if (cfg->nodetect) - D(cfg->debug_file, "nodetect option specified, suitable key detection skipped"); - if (cfg->manual == 0 && cfg->cue && !cued) { cued = 1; converse(pamh, PAM_TEXT_INFO, DEFAULT_CUE); @@ -560,9 +565,15 @@ out = malloc(size); } - size = (unsigned int)sprintf(out, DEBUG_STR, file, line, func); - vsprintf(&out[size], fmt, ap); - va_end(ap); + if (out) { + size = (unsigned int)sprintf(out, DEBUG_STR, file, line, func); + vsprintf(&out[size], fmt, ap); + va_end(ap); + } + else { + out = buffer; + sprintf(out, "debug(pam_u2f): malloc failed when trying to log\n"); + } if (debug_file == (FILE *)-1) { syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", out); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' --exclude Makefile.in --exclude configure --exclude config.guess --exclude '*.pot' --exclude mkinstalldirs --exclude aclocal.m4 --exclude config.sub --exclude depcomp --exclude install-sh --exclude ltmain.sh old/pam_u2f-1.0.7/util.h new/pam_u2f-1.0.8/util.h --- old/pam_u2f-1.0.7/util.h 2018-05-02 12:31:58.000000000 +0200 +++ new/pam_u2f-1.0.8/util.h 2019-06-04 11:28:00.000000000 +0200 @@ -1,5 +1,5 @@ /* - * Copyright (C) 2014-2018 Yubico AB - See COPYING + * Copyright (C) 2014-2019 Yubico AB - See COPYING */ #ifndef UTIL_H @@ -45,6 +45,7 @@ const char *appid; const char *prompt; FILE *debug_file; + int is_custom_debug_file; } cfg_t; typedef struct {
