Bug#385068: add some pam features
General Stone [EMAIL PROTECTED] writes: Roger Leigh wrote: I'm fairly sure that the PAM_TTY must be a terminal device. There might be security issues in using a fake TTY: that's a relative path, and so a cups TTY could be created in the CWD and potentially abused (for example, a hard or soft link to a real TTY). If there isn't a TTY, PAM_TTY should probably be left unset. Yes, I was self confused about the function of these variable, but the pam-modules (look at the sources) want be check if it was a TTY device or not. The SSH server set the PAM_TTY variable to ssh and xdm set the variable to :0 or :1, etc. The pam_access module themself support these fake variables (see libpam-doc). So I think there shouldn't be a problem if cupsd set the variable to cups or cupsys or whatever. OK, thanks for clarifying that. Looking at openssh, that was surrounded by #ifdef PAM_TTY_KLUDGE ... #endif so it looks like it's essentially a workaround for buggy PAM modules. If it's considered acceptable for openssh, it should be fine for CUPS. Thanks, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. pgp2QkneMXoS6.pgp Description: PGP signature
Bug#385068: add some pam features
General Stone [EMAIL PROTECTED] writes: Roger Leigh wrote: I'm fairly sure that the PAM_TTY must be a terminal device. There might be security issues in using a fake TTY: that's a relative path, and so a cups TTY could be created in the CWD and potentially abused (for example, a hard or soft link to a real TTY). If there isn't a TTY, PAM_TTY should probably be left unset. Yes, I was self confused about the function of these variable, but the pam-modules (look at the sources) want be check if it was a TTY device or not. The SSH server set the PAM_TTY variable to ssh and xdm set the variable to :0 or :1, etc. The pam_access module themself support these fake variables (see libpam-doc). So I think there shouldn't be a problem if cupsd set the variable to cups or cupsys or whatever. OK, thanks for clarifying that. Looking at openssh, that was surrounded by #ifdef PAM_TTY_KLUDGE ... #endif so it looks like it's essentially a workaround for buggy PAM modules. If it's considered acceptable for openssh, it should be fine for CUPS. Thanks, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. pgpoTTIbsysr1.pgp Description: PGP signature
Bug#385068: add some pam features
General Stone [EMAIL PROTECTED] writes: Package: cupsys Version: 1.2.2-1 Severity: wishlist Tags: patch Please add these pam features: 1) pam_set_item(pamh, PAM_TTY, cups) --- Need by some pam-modules which need the 'tty' variable, like pam_group, pam_access, pam_time, etc. I'm fairly sure that the PAM_TTY must be a terminal device. There might be security issues in using a fake TTY: that's a relative path, and so a cups TTY could be created in the CWD and potentially abused (for example, a hard or soft link to a real TTY). If there isn't a TTY, PAM_TTY should probably be left unset. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. pgpGdvvByaMgQ.pgp Description: PGP signature
Bug#385068: add some pam features
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Roger Leigh wrote: I'm fairly sure that the PAM_TTY must be a terminal device. There might be security issues in using a fake TTY: that's a relative path, and so a cups TTY could be created in the CWD and potentially abused (for example, a hard or soft link to a real TTY). If there isn't a TTY, PAM_TTY should probably be left unset. Yes, I was self confused about the function of these variable, but the pam-modules (look at the sources) want be check if it was a TTY device or not. The SSH server set the PAM_TTY variable to ssh and xdm set the variable to :0 or :1, etc. The pam_access module themself support these fake variables (see libpam-doc). So I think there shouldn't be a problem if cupsd set the variable to cups or cupsys or whatever. - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9ExBfBT4BlZld/0RA/CoAJ9PG4F2d6om8NXtvMiVvHZnkLTwRwCdFiv0 YM8pBhiK1u5af1rwrLtfjE0= =GHGE -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#385068: add some pam features
Package: cupsys
Version: 1.2.2-1
Severity: wishlist
Tags: patch
Please add these pam features:
1) pam_set_item(pamh, PAM_TTY, cups)
---
Need by some pam-modules which need the 'tty' variable, like
pam_group, pam_access, pam_time, etc.
2) pam_set_item(pamh, PAM_RHOST, con-http.hostname)
-
Usefull for some pam-modules like pam_access, etc and for the logs,
which are created by pam.
3) pam_setcred(pamh, PAM_ESTABLISH_CRED|PAM_SILENT)
Need by some pam-modules like pam_tally, pam_group, etc.
The patch is in the attachment and for the original tarball.
Thanks.
- Markus Nass
--
Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD
~~
Was nicht fliegen kann, kann auch nicht abstürzen.
~~
diff -urN old/cups-1.2.2/scheduler/auth.c new/cups-1.2.2/scheduler/auth.c
--- old/cups-1.2.2/scheduler/auth.c 2006-06-07 22:58:29.0 +0200
+++ new/cups-1.2.2/scheduler/auth.c 2006-08-28 21:28:59.0 +0200
@@ -510,6 +510,28 @@
return;
}
+ pamerr = pam_set_item(pamh, PAM_TTY, cups);
+ if (pamerr != PAM_SUCCESS)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ cupsdAuthorize: pam_set_item() returned %d
+ (%s)!\n,
+ pamerr, pam_strerror(pamh, pamerr));
+ pam_end(pamh, 0);
+ return;
+ }
+
+ pamerr = pam_set_item(pamh, PAM_RHOST, con-http.hostname);
+ if (pamerr != PAM_SUCCESS)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ cupsdAuthorize: pam_set_item() returned %d
+ (%s)!\n,
+ pamerr, pam_strerror(pamh, pamerr));
+ pam_end(pamh, 0);
+ return;
+ }
+
pamerr = pam_authenticate(pamh, PAM_SILENT);
if (pamerr != PAM_SUCCESS)
{
@@ -532,6 +554,17 @@
return;
}
+ pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED|PAM_SILENT);
+ if (pamerr != PAM_SUCCESS)
+ {
+ cupsdLogMessage(CUPSD_LOG_ERROR,
+ cupsdAuthorize: pam_setcred() returned %d
+ (%s)!\n,
+ pamerr, pam_strerror(pamh, pamerr));
+ pam_end(pamh, 0);
+ return;
+ }
+
pam_end(pamh, PAM_SUCCESS);
#elif defined(HAVE_USERSEC_H)
signature.asc
Description: OpenPGP digital signature
