Bug#385068: add some pam features
General Stone [EMAIL PROTECTED] writes: Roger Leigh wrote: I'm fairly sure that the PAM_TTY must be a terminal device. There might be security issues in using a fake TTY: that's a relative path, and so a cups TTY could be created in the CWD and potentially abused (for example, a hard or soft link to a real TTY). If there isn't a TTY, PAM_TTY should probably be left unset. Yes, I was self confused about the function of these variable, but the pam-modules (look at the sources) want be check if it was a TTY device or not. The SSH server set the PAM_TTY variable to ssh and xdm set the variable to :0 or :1, etc. The pam_access module themself support these fake variables (see libpam-doc). So I think there shouldn't be a problem if cupsd set the variable to cups or cupsys or whatever. OK, thanks for clarifying that. Looking at openssh, that was surrounded by #ifdef PAM_TTY_KLUDGE ... #endif so it looks like it's essentially a workaround for buggy PAM modules. If it's considered acceptable for openssh, it should be fine for CUPS. Thanks, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. pgp2QkneMXoS6.pgp Description: PGP signature
Bug#385068: add some pam features
General Stone [EMAIL PROTECTED] writes: Roger Leigh wrote: I'm fairly sure that the PAM_TTY must be a terminal device. There might be security issues in using a fake TTY: that's a relative path, and so a cups TTY could be created in the CWD and potentially abused (for example, a hard or soft link to a real TTY). If there isn't a TTY, PAM_TTY should probably be left unset. Yes, I was self confused about the function of these variable, but the pam-modules (look at the sources) want be check if it was a TTY device or not. The SSH server set the PAM_TTY variable to ssh and xdm set the variable to :0 or :1, etc. The pam_access module themself support these fake variables (see libpam-doc). So I think there shouldn't be a problem if cupsd set the variable to cups or cupsys or whatever. OK, thanks for clarifying that. Looking at openssh, that was surrounded by #ifdef PAM_TTY_KLUDGE ... #endif so it looks like it's essentially a workaround for buggy PAM modules. If it's considered acceptable for openssh, it should be fine for CUPS. Thanks, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. pgpoTTIbsysr1.pgp Description: PGP signature
Bug#385068: add some pam features
General Stone [EMAIL PROTECTED] writes: Package: cupsys Version: 1.2.2-1 Severity: wishlist Tags: patch Please add these pam features: 1) pam_set_item(pamh, PAM_TTY, cups) --- Need by some pam-modules which need the 'tty' variable, like pam_group, pam_access, pam_time, etc. I'm fairly sure that the PAM_TTY must be a terminal device. There might be security issues in using a fake TTY: that's a relative path, and so a cups TTY could be created in the CWD and potentially abused (for example, a hard or soft link to a real TTY). If there isn't a TTY, PAM_TTY should probably be left unset. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `-GPG Public Key: 0x25BFB848 Please GPG sign your mail. pgpGdvvByaMgQ.pgp Description: PGP signature
Bug#385068: add some pam features
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 Roger Leigh wrote: I'm fairly sure that the PAM_TTY must be a terminal device. There might be security issues in using a fake TTY: that's a relative path, and so a cups TTY could be created in the CWD and potentially abused (for example, a hard or soft link to a real TTY). If there isn't a TTY, PAM_TTY should probably be left unset. Yes, I was self confused about the function of these variable, but the pam-modules (look at the sources) want be check if it was a TTY device or not. The SSH server set the PAM_TTY variable to ssh and xdm set the variable to :0 or :1, etc. The pam_access module themself support these fake variables (see libpam-doc). So I think there shouldn't be a problem if cupsd set the variable to cups or cupsys or whatever. - - Markus Nass - -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE9ExBfBT4BlZld/0RA/CoAJ9PG4F2d6om8NXtvMiVvHZnkLTwRwCdFiv0 YM8pBhiK1u5af1rwrLtfjE0= =GHGE -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#385068: add some pam features
Package: cupsys Version: 1.2.2-1 Severity: wishlist Tags: patch Please add these pam features: 1) pam_set_item(pamh, PAM_TTY, cups) --- Need by some pam-modules which need the 'tty' variable, like pam_group, pam_access, pam_time, etc. 2) pam_set_item(pamh, PAM_RHOST, con-http.hostname) - Usefull for some pam-modules like pam_access, etc and for the logs, which are created by pam. 3) pam_setcred(pamh, PAM_ESTABLISH_CRED|PAM_SILENT) Need by some pam-modules like pam_tally, pam_group, etc. The patch is in the attachment and for the original tarball. Thanks. - Markus Nass -- Key fingerprint = DC3C 257C 2B71 8FA4 F609 F7F7 7C14 F806 5665 77FD ~~ Was nicht fliegen kann, kann auch nicht abstürzen. ~~ diff -urN old/cups-1.2.2/scheduler/auth.c new/cups-1.2.2/scheduler/auth.c --- old/cups-1.2.2/scheduler/auth.c 2006-06-07 22:58:29.0 +0200 +++ new/cups-1.2.2/scheduler/auth.c 2006-08-28 21:28:59.0 +0200 @@ -510,6 +510,28 @@ return; } + pamerr = pam_set_item(pamh, PAM_TTY, cups); + if (pamerr != PAM_SUCCESS) + { + cupsdLogMessage(CUPSD_LOG_ERROR, + cupsdAuthorize: pam_set_item() returned %d + (%s)!\n, + pamerr, pam_strerror(pamh, pamerr)); + pam_end(pamh, 0); + return; + } + + pamerr = pam_set_item(pamh, PAM_RHOST, con-http.hostname); + if (pamerr != PAM_SUCCESS) + { + cupsdLogMessage(CUPSD_LOG_ERROR, + cupsdAuthorize: pam_set_item() returned %d + (%s)!\n, + pamerr, pam_strerror(pamh, pamerr)); + pam_end(pamh, 0); + return; + } + pamerr = pam_authenticate(pamh, PAM_SILENT); if (pamerr != PAM_SUCCESS) { @@ -532,6 +554,17 @@ return; } + pamerr = pam_setcred(pamh, PAM_ESTABLISH_CRED|PAM_SILENT); + if (pamerr != PAM_SUCCESS) + { + cupsdLogMessage(CUPSD_LOG_ERROR, + cupsdAuthorize: pam_setcred() returned %d + (%s)!\n, + pamerr, pam_strerror(pamh, pamerr)); + pam_end(pamh, 0); + return; + } + pam_end(pamh, PAM_SUCCESS); #elif defined(HAVE_USERSEC_H) signature.asc Description: OpenPGP digital signature