2002-04-12 20:27:47 +00:00
|
|
|
/*-
|
2003-05-25 18:34:31 +00:00
|
|
|
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
|
2016-01-11 16:22:09 +00:00
|
|
|
* Copyright (c) 2004-2015 Dag-Erling Smørgrav
|
2002-04-12 20:27:47 +00:00
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* This software was developed for the FreeBSD Project by ThinkSec AS and
|
2002-06-07 18:22:57 +00:00
|
|
|
* Network Associates Laboratories, the Security Research Division of
|
|
|
|
* Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
|
|
|
|
* ("CBOSS"), as part of the DARPA CHATS research program.
|
2002-04-12 20:27:47 +00:00
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms, with or without
|
|
|
|
* modification, are permitted provided that the following conditions
|
|
|
|
* are met:
|
|
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer.
|
|
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
|
|
* documentation and/or other materials provided with the distribution.
|
|
|
|
* 3. The name of the author may not be used to endorse or promote
|
|
|
|
* products derived from this software without specific prior written
|
|
|
|
* permission.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
|
|
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
|
|
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
|
|
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
|
|
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
|
|
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
|
|
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
|
|
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
|
|
* SUCH DAMAGE.
|
|
|
|
*/
|
|
|
|
|
2008-02-14 18:33:24 +00:00
|
|
|
#ifdef HAVE_CONFIG_H
|
|
|
|
# include "config.h"
|
|
|
|
#endif
|
|
|
|
|
2012-01-11 00:29:48 +00:00
|
|
|
#include <sys/param.h>
|
|
|
|
|
2002-04-12 20:27:47 +00:00
|
|
|
#include <errno.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
|
|
|
|
|
|
|
#include <security/pam_appl.h>
|
|
|
|
|
|
|
|
#include "openpam_impl.h"
|
2012-04-01 15:01:21 +00:00
|
|
|
#include "openpam_ctype.h"
|
2012-04-02 09:46:48 +00:00
|
|
|
#include "openpam_strlcat.h"
|
|
|
|
#include "openpam_strlcpy.h"
|
2002-04-12 20:27:47 +00:00
|
|
|
|
2003-06-01 14:23:25 +00:00
|
|
|
static int openpam_load_chain(pam_handle_t *, const char *, pam_facility_t);
|
2002-04-12 20:27:47 +00:00
|
|
|
|
2003-05-25 18:34:31 +00:00
|
|
|
/*
|
2012-04-01 15:01:21 +00:00
|
|
|
* Validate a service name.
|
2011-11-03 15:39:18 +00:00
|
|
|
*
|
2012-04-01 15:01:21 +00:00
|
|
|
* Returns a non-zero value if the argument points to a NUL-terminated
|
|
|
|
* string consisting entirely of characters in the POSIX portable filename
|
|
|
|
* character set, excluding the path separator character.
|
2003-05-25 18:34:31 +00:00
|
|
|
*/
|
2002-04-12 20:27:47 +00:00
|
|
|
static int
|
2012-04-01 15:01:21 +00:00
|
|
|
valid_service_name(const char *name)
|
2003-05-25 18:34:31 +00:00
|
|
|
{
|
2012-04-01 15:01:21 +00:00
|
|
|
const char *p;
|
2003-05-25 18:34:31 +00:00
|
|
|
|
2012-04-14 14:18:41 +00:00
|
|
|
if (OPENPAM_FEATURE(RESTRICT_SERVICE_NAME)) {
|
|
|
|
/* path separator not allowed */
|
|
|
|
for (p = name; *p != '\0'; ++p)
|
|
|
|
if (!is_pfcs(*p))
|
|
|
|
return (0);
|
|
|
|
} else {
|
|
|
|
/* path separator allowed */
|
|
|
|
for (p = name; *p != '\0'; ++p)
|
|
|
|
if (!is_pfcs(*p) && *p != '/')
|
|
|
|
return (0);
|
|
|
|
}
|
2012-04-01 15:01:21 +00:00
|
|
|
return (1);
|
2003-05-25 18:34:31 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2011-11-03 15:39:18 +00:00
|
|
|
* Parse the facility name.
|
|
|
|
*
|
2012-04-01 15:01:21 +00:00
|
|
|
* Returns the corresponding pam_facility_t value, or -1 if the argument
|
|
|
|
* is not a valid facility name.
|
2003-05-25 18:34:31 +00:00
|
|
|
*/
|
2011-11-03 15:39:18 +00:00
|
|
|
static pam_facility_t
|
2012-04-01 15:01:21 +00:00
|
|
|
parse_facility_name(const char *name)
|
2003-05-25 18:34:31 +00:00
|
|
|
{
|
2011-11-03 15:39:18 +00:00
|
|
|
int i;
|
2003-05-25 18:34:31 +00:00
|
|
|
|
2011-11-03 15:39:18 +00:00
|
|
|
for (i = 0; i < PAM_NUM_FACILITIES; ++i)
|
2012-04-01 15:01:21 +00:00
|
|
|
if (strcmp(pam_facility_name[i], name) == 0)
|
|
|
|
return (i);
|
|
|
|
return ((pam_facility_t)-1);
|
2003-05-25 18:34:31 +00:00
|
|
|
}
|
|
|
|
|
2003-05-26 15:31:28 +00:00
|
|
|
/*
|
2011-11-03 15:39:18 +00:00
|
|
|
* Parse the control flag.
|
|
|
|
*
|
2012-04-01 15:01:21 +00:00
|
|
|
* Returns the corresponding pam_control_t value, or -1 if the argument is
|
|
|
|
* not a valid control flag name.
|
2003-05-26 15:31:28 +00:00
|
|
|
*/
|
2011-11-03 15:39:18 +00:00
|
|
|
static pam_control_t
|
2012-04-01 15:01:21 +00:00
|
|
|
parse_control_flag(const char *name)
|
2003-05-26 15:31:28 +00:00
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
2011-11-03 15:39:18 +00:00
|
|
|
for (i = 0; i < PAM_NUM_CONTROL_FLAGS; ++i)
|
2012-04-01 15:01:21 +00:00
|
|
|
if (strcmp(pam_control_flag_name[i], name) == 0)
|
|
|
|
return (i);
|
|
|
|
return ((pam_control_t)-1);
|
2003-05-26 15:31:28 +00:00
|
|
|
}
|
|
|
|
|
2011-11-03 15:39:18 +00:00
|
|
|
/*
|
2012-04-01 15:01:21 +00:00
|
|
|
* Validate a file name.
|
2011-11-03 15:39:18 +00:00
|
|
|
*
|
2012-04-01 15:01:21 +00:00
|
|
|
* Returns a non-zero value if the argument points to a NUL-terminated
|
|
|
|
* string consisting entirely of characters in the POSIX portable filename
|
|
|
|
* character set, including the path separator character.
|
2011-11-03 15:39:18 +00:00
|
|
|
*/
|
|
|
|
static int
|
2012-04-14 14:18:41 +00:00
|
|
|
valid_module_name(const char *name)
|
2011-11-03 15:39:18 +00:00
|
|
|
{
|
2012-04-01 15:01:21 +00:00
|
|
|
const char *p;
|
2011-11-03 15:39:18 +00:00
|
|
|
|
2012-04-14 14:18:41 +00:00
|
|
|
if (OPENPAM_FEATURE(RESTRICT_MODULE_NAME)) {
|
|
|
|
/* path separator not allowed */
|
|
|
|
for (p = name; *p != '\0'; ++p)
|
|
|
|
if (!is_pfcs(*p))
|
|
|
|
return (0);
|
|
|
|
} else {
|
|
|
|
/* path separator allowed */
|
|
|
|
for (p = name; *p != '\0'; ++p)
|
|
|
|
if (!is_pfcs(*p) && *p != '/')
|
|
|
|
return (0);
|
|
|
|
}
|
2012-04-01 15:01:21 +00:00
|
|
|
return (1);
|
2011-11-03 16:09:22 +00:00
|
|
|
}
|
|
|
|
|
2003-05-25 18:34:31 +00:00
|
|
|
typedef enum { pam_conf_style, pam_d_style } openpam_style_t;
|
|
|
|
|
|
|
|
/*
|
2003-06-01 14:23:25 +00:00
|
|
|
* Extracts given chains from a policy file.
|
2012-01-11 00:29:48 +00:00
|
|
|
*
|
|
|
|
* Returns the number of policy entries which were found for the specified
|
|
|
|
* service and facility, or -1 if a system error occurred or a syntax
|
|
|
|
* error was encountered.
|
2003-05-25 18:34:31 +00:00
|
|
|
*/
|
|
|
|
static int
|
2011-11-03 15:39:18 +00:00
|
|
|
openpam_parse_chain(pam_handle_t *pamh,
|
2002-04-12 20:27:47 +00:00
|
|
|
const char *service,
|
2003-06-01 14:23:25 +00:00
|
|
|
pam_facility_t facility,
|
2012-01-11 00:29:48 +00:00
|
|
|
FILE *f,
|
2002-04-12 20:27:47 +00:00
|
|
|
const char *filename,
|
2003-05-25 18:34:31 +00:00
|
|
|
openpam_style_t style)
|
2002-04-12 20:27:47 +00:00
|
|
|
{
|
2003-05-25 18:34:31 +00:00
|
|
|
pam_chain_t *this, **next;
|
2003-06-01 14:23:25 +00:00
|
|
|
pam_facility_t fclt;
|
|
|
|
pam_control_t ctlf;
|
2012-04-01 15:01:21 +00:00
|
|
|
char *name, *servicename, *modulename;
|
|
|
|
int count, lineno, ret, serrno;
|
|
|
|
char **wordv, *word;
|
|
|
|
int i, wordc;
|
2002-04-12 20:27:47 +00:00
|
|
|
|
2012-01-11 00:29:48 +00:00
|
|
|
count = 0;
|
2003-06-01 14:23:25 +00:00
|
|
|
this = NULL;
|
2011-11-03 15:39:18 +00:00
|
|
|
name = NULL;
|
2011-11-05 20:00:46 +00:00
|
|
|
lineno = 0;
|
2012-04-01 15:01:21 +00:00
|
|
|
wordc = 0;
|
|
|
|
wordv = NULL;
|
|
|
|
while ((wordv = openpam_readlinev(f, &lineno, &wordc)) != NULL) {
|
|
|
|
/* blank line? */
|
|
|
|
if (wordc == 0) {
|
|
|
|
FREEV(wordc, wordv);
|
|
|
|
continue;
|
2003-05-25 18:34:31 +00:00
|
|
|
}
|
2012-04-01 15:01:21 +00:00
|
|
|
i = 0;
|
2002-04-12 20:27:47 +00:00
|
|
|
|
2012-04-01 15:01:21 +00:00
|
|
|
/* check service name if necessary */
|
|
|
|
if (style == pam_conf_style &&
|
|
|
|
strcmp(wordv[i++], service) != 0) {
|
|
|
|
FREEV(wordc, wordv);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* check facility name */
|
|
|
|
if ((word = wordv[i++]) == NULL ||
|
|
|
|
(fclt = parse_facility_name(word)) == (pam_facility_t)-1) {
|
2011-11-03 15:39:18 +00:00
|
|
|
openpam_log(PAM_LOG_ERROR,
|
|
|
|
"%s(%d): missing or invalid facility",
|
|
|
|
filename, lineno);
|
In openpam_parse_chain():
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
2014-06-03 21:27:48 +00:00
|
|
|
errno = EINVAL;
|
2003-06-01 14:23:25 +00:00
|
|
|
goto fail;
|
2003-05-26 15:31:28 +00:00
|
|
|
}
|
2003-06-01 14:23:25 +00:00
|
|
|
if (facility != fclt && facility != PAM_FACILITY_ANY) {
|
2012-04-01 15:01:21 +00:00
|
|
|
FREEV(wordc, wordv);
|
2002-04-12 20:27:47 +00:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2011-11-03 15:39:18 +00:00
|
|
|
/* check for "include" */
|
2012-04-01 15:01:21 +00:00
|
|
|
if ((word = wordv[i++]) != NULL &&
|
|
|
|
strcmp(word, "include") == 0) {
|
|
|
|
if ((servicename = wordv[i++]) == NULL ||
|
|
|
|
!valid_service_name(servicename)) {
|
2011-11-03 15:39:18 +00:00
|
|
|
openpam_log(PAM_LOG_ERROR,
|
2012-04-01 15:01:21 +00:00
|
|
|
"%s(%d): missing or invalid service name",
|
2003-05-26 15:31:28 +00:00
|
|
|
filename, lineno);
|
In openpam_parse_chain():
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
2014-06-03 21:27:48 +00:00
|
|
|
errno = EINVAL;
|
2011-11-03 15:39:18 +00:00
|
|
|
goto fail;
|
|
|
|
}
|
2012-04-01 15:01:21 +00:00
|
|
|
if (wordv[i] != NULL) {
|
2011-11-03 16:09:22 +00:00
|
|
|
openpam_log(PAM_LOG_ERROR,
|
|
|
|
"%s(%d): garbage at end of line",
|
|
|
|
filename, lineno);
|
In openpam_parse_chain():
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
2014-06-03 21:27:48 +00:00
|
|
|
errno = EINVAL;
|
2011-11-03 16:09:22 +00:00
|
|
|
goto fail;
|
|
|
|
}
|
2012-04-01 15:01:21 +00:00
|
|
|
ret = openpam_load_chain(pamh, servicename, fclt);
|
|
|
|
FREEV(wordc, wordv);
|
In openpam_parse_chain():
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
2014-06-03 21:27:48 +00:00
|
|
|
if (ret < 0) {
|
|
|
|
/*
|
|
|
|
* Bogus errno, but this ensures that the
|
|
|
|
* outer loop does not just ignore the
|
|
|
|
* error and keep searching.
|
|
|
|
*/
|
|
|
|
if (errno == ENOENT)
|
|
|
|
errno = EINVAL;
|
2003-05-25 18:34:31 +00:00
|
|
|
goto fail;
|
In openpam_parse_chain():
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
2014-06-03 21:27:48 +00:00
|
|
|
}
|
2002-04-12 20:27:47 +00:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2011-11-03 15:39:18 +00:00
|
|
|
/* get control flag */
|
2012-04-01 15:01:21 +00:00
|
|
|
if (word == NULL || /* same word we compared to "include" */
|
|
|
|
(ctlf = parse_control_flag(word)) == (pam_control_t)-1) {
|
2011-11-03 15:39:18 +00:00
|
|
|
openpam_log(PAM_LOG_ERROR,
|
|
|
|
"%s(%d): missing or invalid control flag",
|
|
|
|
filename, lineno);
|
In openpam_parse_chain():
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
2014-06-03 21:27:48 +00:00
|
|
|
errno = EINVAL;
|
2011-11-03 15:39:18 +00:00
|
|
|
goto fail;
|
|
|
|
}
|
2002-04-12 20:27:47 +00:00
|
|
|
|
2011-11-03 15:39:18 +00:00
|
|
|
/* get module name */
|
2012-04-01 15:01:21 +00:00
|
|
|
if ((modulename = wordv[i++]) == NULL ||
|
2012-04-14 14:18:41 +00:00
|
|
|
!valid_module_name(modulename)) {
|
2002-04-12 20:27:47 +00:00
|
|
|
openpam_log(PAM_LOG_ERROR,
|
2011-11-03 15:39:18 +00:00
|
|
|
"%s(%d): missing or invalid module name",
|
|
|
|
filename, lineno);
|
In openpam_parse_chain():
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
2014-06-03 21:27:48 +00:00
|
|
|
errno = EINVAL;
|
2003-05-25 18:34:31 +00:00
|
|
|
goto fail;
|
2002-04-12 20:27:47 +00:00
|
|
|
}
|
2011-11-03 15:39:18 +00:00
|
|
|
|
|
|
|
/* allocate new entry */
|
|
|
|
if ((this = calloc(1, sizeof *this)) == NULL)
|
|
|
|
goto syserr;
|
2003-06-01 14:23:25 +00:00
|
|
|
this->flag = ctlf;
|
2002-04-12 20:27:47 +00:00
|
|
|
|
2011-11-03 15:39:18 +00:00
|
|
|
/* load module */
|
In openpam_parse_chain():
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
2014-06-03 21:27:48 +00:00
|
|
|
if ((this->module = openpam_load_module(modulename)) == NULL) {
|
|
|
|
if (errno == ENOENT)
|
|
|
|
errno = ENOEXEC;
|
2003-05-25 18:34:31 +00:00
|
|
|
goto fail;
|
In openpam_parse_chain():
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
2014-06-03 21:27:48 +00:00
|
|
|
}
|
2002-04-12 20:27:47 +00:00
|
|
|
|
2012-04-01 15:01:21 +00:00
|
|
|
/*
|
|
|
|
* The remaining items in wordv are the module's
|
|
|
|
* arguments. We could set this->optv = wordv + i, but
|
|
|
|
* then free(this->optv) wouldn't work. Instead, we free
|
|
|
|
* the words we've already consumed, shift the rest up,
|
|
|
|
* and clear the tail end of the array.
|
|
|
|
*/
|
|
|
|
this->optc = wordc - i;
|
|
|
|
for (i = 0; i < wordc - this->optc; ++i) {
|
|
|
|
FREE(wordv[i]);
|
2012-05-26 22:57:11 +00:00
|
|
|
}
|
|
|
|
for (i = 0; i < this->optc; ++i) {
|
2012-04-01 15:01:21 +00:00
|
|
|
wordv[i] = wordv[wordc - this->optc + i];
|
|
|
|
wordv[wordc - this->optc + i] = NULL;
|
|
|
|
}
|
|
|
|
this->optv = wordv;
|
|
|
|
wordv = NULL;
|
|
|
|
wordc = 0;
|
|
|
|
|
2003-05-25 18:34:31 +00:00
|
|
|
/* hook it up */
|
2003-06-01 14:23:25 +00:00
|
|
|
for (next = &pamh->chains[fclt]; *next != NULL;
|
|
|
|
next = &(*next)->next)
|
|
|
|
/* nothing */ ;
|
2003-05-25 18:34:31 +00:00
|
|
|
*next = this;
|
|
|
|
this = NULL;
|
2012-01-11 00:29:48 +00:00
|
|
|
++count;
|
2003-05-25 18:34:31 +00:00
|
|
|
}
|
2012-04-01 15:01:21 +00:00
|
|
|
/*
|
|
|
|
* The loop ended because openpam_readword() returned NULL, which
|
|
|
|
* can happen for four different reasons: an I/O error (ferror(f)
|
|
|
|
* is true), a memory allocation failure (ferror(f) is false,
|
In openpam_parse_chain():
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
2014-06-03 21:27:48 +00:00
|
|
|
* feof(f) is false, errno is non-zero), the file ended with an
|
|
|
|
* unterminated quote or backslash escape (ferror(f) is false,
|
|
|
|
* feof(f) is true, errno is non-zero), or the end of the file was
|
|
|
|
* reached without error (ferror(f) is false, feof(f) is true,
|
|
|
|
* errno is zero).
|
2012-04-01 15:01:21 +00:00
|
|
|
*/
|
|
|
|
if (ferror(f) || errno != 0)
|
2003-05-25 18:34:31 +00:00
|
|
|
goto syserr;
|
2012-04-01 15:01:21 +00:00
|
|
|
if (!feof(f))
|
|
|
|
goto fail;
|
2003-05-25 18:34:31 +00:00
|
|
|
fclose(f);
|
2012-01-11 00:29:48 +00:00
|
|
|
return (count);
|
2008-12-22 14:55:47 +00:00
|
|
|
syserr:
|
2012-01-11 00:29:48 +00:00
|
|
|
serrno = errno;
|
2003-05-25 18:34:31 +00:00
|
|
|
openpam_log(PAM_LOG_ERROR, "%s: %m", filename);
|
2012-01-11 00:29:48 +00:00
|
|
|
errno = serrno;
|
|
|
|
/* fall through */
|
2008-12-22 14:55:47 +00:00
|
|
|
fail:
|
2012-01-11 00:29:48 +00:00
|
|
|
serrno = errno;
|
2012-04-01 15:01:21 +00:00
|
|
|
if (this && this->optc && this->optv)
|
|
|
|
FREEV(this->optc, this->optv);
|
2003-05-25 18:34:31 +00:00
|
|
|
FREE(this);
|
2012-04-01 15:01:21 +00:00
|
|
|
FREEV(wordc, wordv);
|
|
|
|
FREE(wordv);
|
2011-11-03 15:39:18 +00:00
|
|
|
FREE(name);
|
2012-04-01 15:01:21 +00:00
|
|
|
fclose(f);
|
2012-01-11 00:29:48 +00:00
|
|
|
errno = serrno;
|
|
|
|
return (-1);
|
2002-04-12 20:27:47 +00:00
|
|
|
}
|
|
|
|
|
2012-04-14 16:11:39 +00:00
|
|
|
/*
|
|
|
|
* Read the specified chains from the specified file.
|
|
|
|
*
|
|
|
|
* Returns 0 if the file exists but does not contain any matching lines.
|
|
|
|
*
|
|
|
|
* Returns -1 and sets errno to ENOENT if the file does not exist.
|
|
|
|
*
|
|
|
|
* Returns -1 and sets errno to some other non-zero value if the file
|
|
|
|
* exists but is unsafe or unreadable, or an I/O error occurs.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
openpam_load_file(pam_handle_t *pamh,
|
|
|
|
const char *service,
|
|
|
|
pam_facility_t facility,
|
|
|
|
const char *filename,
|
|
|
|
openpam_style_t style)
|
|
|
|
{
|
|
|
|
FILE *f;
|
|
|
|
int ret, serrno;
|
|
|
|
|
|
|
|
/* attempt to open the file */
|
|
|
|
if ((f = fopen(filename, "r")) == NULL) {
|
|
|
|
serrno = errno;
|
|
|
|
openpam_log(errno == ENOENT ? PAM_LOG_DEBUG : PAM_LOG_ERROR,
|
|
|
|
"%s: %m", filename);
|
|
|
|
errno = serrno;
|
|
|
|
RETURNN(-1);
|
|
|
|
} else {
|
|
|
|
openpam_log(PAM_LOG_DEBUG, "found %s", filename);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* verify type, ownership and permissions */
|
|
|
|
if (OPENPAM_FEATURE(VERIFY_POLICY_FILE) &&
|
|
|
|
openpam_check_desc_owner_perms(filename, fileno(f)) != 0) {
|
|
|
|
/* already logged the cause */
|
|
|
|
serrno = errno;
|
|
|
|
fclose(f);
|
|
|
|
errno = serrno;
|
|
|
|
RETURNN(-1);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* parse the file */
|
|
|
|
ret = openpam_parse_chain(pamh, service, facility,
|
|
|
|
f, filename, style);
|
|
|
|
RETURNN(ret);
|
|
|
|
}
|
|
|
|
|
2003-05-25 18:34:31 +00:00
|
|
|
/*
|
2003-06-01 14:23:25 +00:00
|
|
|
* Locates the policy file for a given service and reads the given chains
|
2003-05-25 18:34:31 +00:00
|
|
|
* from it.
|
2012-01-11 00:29:48 +00:00
|
|
|
*
|
|
|
|
* Returns the number of policy entries which were found for the specified
|
|
|
|
* service and facility, or -1 if a system error occurred or a syntax
|
|
|
|
* error was encountered.
|
2003-05-25 18:34:31 +00:00
|
|
|
*/
|
2002-05-02 06:08:02 +00:00
|
|
|
static int
|
2003-06-01 14:23:25 +00:00
|
|
|
openpam_load_chain(pam_handle_t *pamh,
|
2003-05-25 18:34:31 +00:00
|
|
|
const char *service,
|
2003-06-01 14:23:25 +00:00
|
|
|
pam_facility_t facility)
|
2002-04-12 20:27:47 +00:00
|
|
|
{
|
2012-04-14 16:11:39 +00:00
|
|
|
const char *p, **path;
|
2012-01-11 00:29:48 +00:00
|
|
|
char filename[PATH_MAX];
|
2002-04-12 20:27:47 +00:00
|
|
|
size_t len;
|
2012-01-11 00:29:48 +00:00
|
|
|
openpam_style_t style;
|
2012-04-14 20:37:45 +00:00
|
|
|
int ret;
|
2002-04-12 20:27:47 +00:00
|
|
|
|
2012-01-11 00:29:48 +00:00
|
|
|
ENTERS(facility < 0 ? "any" : pam_facility_name[facility]);
|
2012-04-14 16:11:39 +00:00
|
|
|
|
|
|
|
/* either absolute or relative to cwd */
|
|
|
|
if (strchr(service, '/') != NULL) {
|
2012-04-14 20:37:45 +00:00
|
|
|
if ((p = strrchr(service, '.')) != NULL && strcmp(p, ".conf") == 0)
|
2012-04-14 16:11:39 +00:00
|
|
|
style = pam_conf_style;
|
|
|
|
else
|
|
|
|
style = pam_d_style;
|
|
|
|
ret = openpam_load_file(pamh, service, facility,
|
|
|
|
service, style);
|
|
|
|
RETURNN(ret);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* search standard locations */
|
2002-04-12 20:27:47 +00:00
|
|
|
for (path = openpam_policy_path; *path != NULL; ++path) {
|
2012-01-11 00:29:48 +00:00
|
|
|
/* construct filename */
|
|
|
|
len = strlcpy(filename, *path, sizeof filename);
|
2013-09-21 23:22:48 +00:00
|
|
|
if (len >= sizeof filename) {
|
|
|
|
errno = ENAMETOOLONG;
|
|
|
|
RETURNN(-1);
|
|
|
|
}
|
2012-01-11 00:29:48 +00:00
|
|
|
if (filename[len - 1] == '/') {
|
|
|
|
len = strlcat(filename, service, sizeof filename);
|
|
|
|
if (len >= sizeof filename) {
|
|
|
|
errno = ENAMETOOLONG;
|
|
|
|
RETURNN(-1);
|
2002-04-12 20:27:47 +00:00
|
|
|
}
|
2012-01-11 00:29:48 +00:00
|
|
|
style = pam_d_style;
|
2002-04-12 20:27:47 +00:00
|
|
|
} else {
|
2012-01-11 00:29:48 +00:00
|
|
|
style = pam_conf_style;
|
2002-04-12 20:27:47 +00:00
|
|
|
}
|
2012-04-14 16:11:39 +00:00
|
|
|
ret = openpam_load_file(pamh, service, facility,
|
|
|
|
filename, style);
|
In openpam_parse_chain():
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
2014-06-03 21:27:48 +00:00
|
|
|
/* success */
|
|
|
|
if (ret > 0)
|
|
|
|
RETURNN(ret);
|
2012-04-14 16:11:39 +00:00
|
|
|
/* the file exists, but an error occurred */
|
|
|
|
if (ret == -1 && errno != ENOENT)
|
|
|
|
RETURNN(ret);
|
2012-01-11 00:29:48 +00:00
|
|
|
/* in pam.d style, an empty file counts as a hit */
|
2012-04-14 16:11:39 +00:00
|
|
|
if (ret == 0 && style == pam_d_style)
|
2012-01-11 00:29:48 +00:00
|
|
|
RETURNN(ret);
|
2002-04-12 20:27:47 +00:00
|
|
|
}
|
2012-04-14 16:11:39 +00:00
|
|
|
|
|
|
|
/* no hit */
|
In openpam_parse_chain():
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
2014-06-03 21:27:48 +00:00
|
|
|
errno = ENOENT;
|
|
|
|
RETURNN(-1);
|
2002-05-02 06:08:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* OpenPAM internal
|
|
|
|
*
|
|
|
|
* Configure a service
|
|
|
|
*/
|
|
|
|
|
|
|
|
int
|
|
|
|
openpam_configure(pam_handle_t *pamh,
|
|
|
|
const char *service)
|
|
|
|
{
|
2003-06-01 14:23:25 +00:00
|
|
|
pam_facility_t fclt;
|
2012-01-11 00:29:48 +00:00
|
|
|
int serrno;
|
2011-11-21 16:25:49 +00:00
|
|
|
|
2012-01-11 00:29:48 +00:00
|
|
|
ENTERS(service);
|
2012-04-14 14:18:41 +00:00
|
|
|
if (!valid_service_name(service)) {
|
|
|
|
openpam_log(PAM_LOG_ERROR, "invalid service name");
|
|
|
|
RETURNC(PAM_SYSTEM_ERR);
|
|
|
|
}
|
In openpam_parse_chain():
1. Finish a comment which was meant to describe the four different
termination conditions for the loop in openpam_parse_chain() but
ended in mid-sentence.
2. Ensure that errno is consistently set to EINVAL if a syntax error
is encountered in the policy file.
3. If openpam_load_module() fails because the module could not be
loaded, set errno to ENOEXEC instead of ENOENT. This closes a hole
where a missing module or a typo in a module name would cause the
corresponding chain to fail open. Normally, if the policy exists
but cannot be loaded, openpam_load_chain() will return an error,
and openpam_configure() will discard any partially constructed
chains. However, openpam_load_chain() interprets ENOENT to mean
that the policy was not found, so it does not immediately return an
error, the partially-loaded chain is not discarded, and the policy
is incorrectly considered to have been successfully loaded.
4. Ensure that errors encountered while parsing an included policy are
correctly propagated to the original policy, and that ENOENT while
processing an include directive is a hard error, not a soft error.
CVE-2014-3879
git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@795 185d5e19-27fe-0310-9dcf-9bff6b9f3609
2014-06-03 21:27:48 +00:00
|
|
|
if (openpam_load_chain(pamh, service, PAM_FACILITY_ANY) < 0) {
|
|
|
|
if (errno != ENOENT)
|
|
|
|
goto load_err;
|
|
|
|
}
|
2003-06-01 14:23:25 +00:00
|
|
|
for (fclt = 0; fclt < PAM_NUM_FACILITIES; ++fclt) {
|
|
|
|
if (pamh->chains[fclt] != NULL)
|
|
|
|
continue;
|
2015-07-30 23:42:38 +00:00
|
|
|
if (OPENPAM_FEATURE(FALLBACK_TO_OTHER)) {
|
|
|
|
if (openpam_load_chain(pamh, PAM_OTHER, fclt) < 0)
|
|
|
|
goto load_err;
|
|
|
|
}
|
2002-05-02 06:08:02 +00:00
|
|
|
}
|
2012-01-11 00:29:48 +00:00
|
|
|
RETURNC(PAM_SUCCESS);
|
2008-12-22 14:55:47 +00:00
|
|
|
load_err:
|
2012-01-11 00:29:48 +00:00
|
|
|
serrno = errno;
|
2003-06-01 14:23:25 +00:00
|
|
|
openpam_clear_chains(pamh->chains);
|
2012-01-11 00:29:48 +00:00
|
|
|
errno = serrno;
|
|
|
|
RETURNC(PAM_SYSTEM_ERR);
|
2002-04-12 20:27:47 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* NODOC
|
|
|
|
*
|
|
|
|
* Error codes:
|
|
|
|
* PAM_SYSTEM_ERR
|
|
|
|
*/
|