Blame - poky/meta/recipes-extended/pam/libpam/pam-security-abstract-securetty-handling.patch - mdmillerii/openbmc

blob: 9b8d4c297516d6c0cd64f990f14c4b51d897dbf2 [file] [log] [blame]

Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	1	Description: extract the securetty logic for use with the "nullok_secure" option
				2	introduced in the "055_pam_unix_nullok_secure" patch.
				3
				4	Upstream-Status: Pending
				5
				6	Signed-off-by: Ming Liu <ming.liu@windriver.com>
				7	===================================================================
Brad Bishop	316dfdd	2018-06-25 12:45:53 -0400	[diff] [blame]	8	Index: Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am
				9	===================================================================
				10	--- Linux-PAM-1.3.0.orig/modules/pam_securetty/Makefile.am
				11	+++ Linux-PAM-1.3.0/modules/pam_securetty/Makefile.am
Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	12	@@ -24,6 +24,10 @@ endif
				13	securelib_LTLIBRARIES = pam_securetty.la
Brad Bishop	316dfdd	2018-06-25 12:45:53 -0400	[diff] [blame]	14	pam_securetty_la_LIBADD = $(top_builddir)/libpam/libpam.la
Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	15
				16	+pam_securetty_la_SOURCES = \
				17	+ pam_securetty.c \
				18	+ tty_secure.c
				19	+
				20	if ENABLE_REGENERATE_MAN
				21	noinst_DATA = README
				22	README: pam_securetty.8.xml
Brad Bishop	316dfdd	2018-06-25 12:45:53 -0400	[diff] [blame]	23	Index: Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c
				24	===================================================================
				25	--- Linux-PAM-1.3.0.orig/modules/pam_securetty/pam_securetty.c
				26	+++ Linux-PAM-1.3.0/modules/pam_securetty/pam_securetty.c
Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	27	@@ -1,7 +1,5 @@
				28	/* pam_securetty module */
				29
				30	-#define SECURETTY_FILE "/etc/securetty"
				31	-#define TTY_PREFIX "/dev/"
				32	#define CMDLINE_FILE "/proc/cmdline"
				33	#define CONSOLEACTIVE_FILE "/sys/class/tty/console/active"
				34
				35	@@ -40,6 +38,9 @@
				36	#include <security/pam_modutil.h>
				37	#include <security/pam_ext.h>
				38
				39	+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
				40	+ const char *uttyname);
				41	+
				42	#define PAM_DEBUG_ARG 0x0001
				43	#define PAM_NOCONSOLE_ARG 0x0002
				44
				45	@@ -73,11 +74,7 @@ securetty_perform_check (pam_handle_t *p
				46	const char *username;
				47	const char *uttyname;
				48	const void *void_uttyname;
				49	- char ttyfileline[256];
				50	- char ptname[256];
				51	- struct stat ttyfileinfo;
				52	struct passwd *user_pwd;
				53	- FILE *ttyfile;
				54
				55	/* log a trail for debugging */
				56	if (ctrl & PAM_DEBUG_ARG) {
				57	@@ -105,50 +102,7 @@ securetty_perform_check (pam_handle_t *p
				58	return PAM_SERVICE_ERR;
				59	}
				60
				61	- /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
				62	- if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0) {
				63	- uttyname += sizeof(TTY_PREFIX)-1;
				64	- }
				65	-
				66	- if (stat(SECURETTY_FILE, &ttyfileinfo)) {
				67	- pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
				68	- return PAM_SUCCESS; /* for compatibility with old securetty handling,
				69	- this needs to succeed. But we still log the
				70	- error. */
				71	- }
				72	-
				73	- if ((ttyfileinfo.st_mode & S_IWOTH) \|\| !S_ISREG(ttyfileinfo.st_mode)) {
				74	- /* If the file is world writable or is not a
				75	- normal file, return error */
				76	- pam_syslog(pamh, LOG_ERR,
				77	- "%s is either world writable or not a normal file",
				78	- SECURETTY_FILE);
				79	- return PAM_AUTH_ERR;
				80	- }
				81	-
				82	- ttyfile = fopen(SECURETTY_FILE,"r");
				83	- if (ttyfile == NULL) { /* Check that we opened it successfully */
				84	- pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
				85	- return PAM_SERVICE_ERR;
				86	- }
				87	-
				88	- if (isdigit(uttyname[0])) {
				89	- snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
				90	- } else {
				91	- ptname[0] = '\0';
				92	- }
				93	-
				94	- retval = 1;
				95	-
				96	- while ((fgets(ttyfileline, sizeof(ttyfileline)-1, ttyfile) != NULL)
				97	- && retval) {
				98	- if (ttyfileline[strlen(ttyfileline) - 1] == '\n')
				99	- ttyfileline[strlen(ttyfileline) - 1] = '\0';
				100	-
				101	- retval = ( strcmp(ttyfileline, uttyname)
				102	- && (!ptname[0] \|\| strcmp(ptname, uttyname)) );
				103	- }
				104	- fclose(ttyfile);
				105	+ retval = _pammodutil_tty_secure(pamh, uttyname);
				106
				107	if (retval && !(ctrl & PAM_NOCONSOLE_ARG)) {
				108	FILE *cmdlinefile;
Brad Bishop	316dfdd	2018-06-25 12:45:53 -0400	[diff] [blame]	109	Index: Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c
				110	===================================================================
				111	--- /dev/null
				112	+++ Linux-PAM-1.3.0/modules/pam_securetty/tty_secure.c
Patrick Williams	c124f4f	2015-09-15 14:41:29 -0500	[diff] [blame]	113	@@ -0,0 +1,90 @@
				114	+/*
				115	+ * A function to determine if a particular line is in /etc/securetty
				116	+ */
				117	+
				118	+
				119	+#define SECURETTY_FILE "/etc/securetty"
				120	+#define TTY_PREFIX "/dev/"
				121	+
				122	+/* This function taken out of pam_securetty by Sam Hartman
				123	+ * <hartmans@debian.org>*/
				124	+/*
				125	+ * by Elliot Lee <sopwith@redhat.com>, Red Hat Software.
				126	+ * July 25, 1996.
				127	+ * Slight modifications AGM. 1996/12/3
				128	+ */
				129	+
				130	+#include <unistd.h>
				131	+#include <sys/types.h>
				132	+#include <sys/stat.h>
				133	+#include <security/pam_modules.h>
				134	+#include <stdarg.h>
				135	+#include <syslog.h>
				136	+#include <sys/syslog.h>
				137	+#include <stdio.h>
				138	+#include <string.h>
				139	+#include <stdlib.h>
				140	+#include <ctype.h>
				141	+#include <security/pam_modutil.h>
				142	+#include <security/pam_ext.h>
				143	+
				144	+extern int _pammodutil_tty_secure(const pam_handle_t *pamh,
				145	+ const char *uttyname);
				146	+
				147	+int _pammodutil_tty_secure(const pam_handle_t pamh, const char uttyname)
				148	+{
				149	+ int retval = PAM_AUTH_ERR;
				150	+ char ttyfileline[256];
				151	+ char ptname[256];
				152	+ struct stat ttyfileinfo;
				153	+ FILE *ttyfile;
				154	+ /* The PAM_TTY item may be prefixed with "/dev/" - skip that */
				155	+ if (strncmp(TTY_PREFIX, uttyname, sizeof(TTY_PREFIX)-1) == 0)
				156	+ uttyname += sizeof(TTY_PREFIX)-1;
				157	+
				158	+ if (stat(SECURETTY_FILE, &ttyfileinfo)) {
				159	+ pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m",
				160	+ SECURETTY_FILE);
				161	+ return PAM_SUCCESS; /* for compatibility with old securetty handling,
				162	+ this needs to succeed. But we still log the
				163	+ error. */
				164	+ }
				165	+
				166	+ if ((ttyfileinfo.st_mode & S_IWOTH) \|\| !S_ISREG(ttyfileinfo.st_mode)) {
				167	+ /* If the file is world writable or is not a
				168	+ normal file, return error */
				169	+ pam_syslog(pamh, LOG_ERR,
				170	+ "%s is either world writable or not a normal file",
				171	+ SECURETTY_FILE);
				172	+ return PAM_AUTH_ERR;
				173	+ }
				174	+
				175	+ ttyfile = fopen(SECURETTY_FILE,"r");
				176	+ if(ttyfile == NULL) { /* Check that we opened it successfully */
				177	+ pam_syslog(pamh, LOG_ERR, "Error opening %s: %m", SECURETTY_FILE);
				178	+ return PAM_SERVICE_ERR;
				179	+ }
				180	+
				181	+ if (isdigit(uttyname[0])) {
				182	+ snprintf(ptname, sizeof(ptname), "pts/%s", uttyname);
				183	+ } else {
				184	+ ptname[0] = '\0';
				185	+ }
				186	+
				187	+ retval = 1;
				188	+
				189	+ while ((fgets(ttyfileline,sizeof(ttyfileline)-1, ttyfile) != NULL)
				190	+ && retval) {
				191	+ if(ttyfileline[strlen(ttyfileline) - 1] == '\n')
				192	+ ttyfileline[strlen(ttyfileline) - 1] = '\0';
				193	+ retval = ( strcmp(ttyfileline,uttyname)
				194	+ && (!ptname[0] \|\| strcmp(ptname, uttyname)) );
				195	+ }
				196	+ fclose(ttyfile);
				197	+
				198	+ if(retval) {
				199	+ retval = PAM_AUTH_ERR;
				200	+ }
				201	+
				202	+ return retval;
				203	+}