misc/109416: pam_group doesn't check login_group membership in some
situations
siflus
siflus at gmail.com
Thu Feb 22 02:40:07 UTC 2007
>Number: 109416
>Category: misc
>Synopsis: pam_group doesn't check login_group membership in some situations
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Feb 22 02:40:06 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: siflus
>Release: 6.2-RELEASE
>Organization:
>Environment:
FreeBSD trashed.local 6.2-RELEASE FreeBSD 6.2-RELEASE #0: Fri Jan 12 23:30:59 UTC 2007 root at s-dallas.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC sparc64
>Description:
if a group is empty as per /etc/group, pam_group.so fails
before checking if the user's login_group matches.
>How-To-Repeat:
set a user's login group to the gid of some group.
make sure there aren't any usernames in /etc/group
add this to something like /etc/pam.d/su
auth required pam_group.so no_warn group=YOUR_GROUP
that way you're required to be in the wheel group in order to su.
try to su. :)
>Fix:
it looks to me like the author intended to check the gid..however due to
the initial check if the group is empty...it fails before it gets to that point.
---------- 8< ---- snip ---- 8< -----------
if ((group = openpam_get_option(pamh, "group")) == NULL)
group = "wheel";
if ((grp = getgrnam(group)) == NULL || grp->gr_mem == NULL)
goto failed;
A /* check if the group is empty */
A if (*grp->gr_mem == NULL)
A goto failed;
B /* check membership */
B if (pwd->pw_gid == grp->gr_gid)
B goto found;
for (list = grp->gr_mem; *list != NULL; ++list)
if (strcmp(*list, pwd->pw_name) == 0)
goto found;
---------- 8< ---- snip ---- 8< -----------
Currently the logic is ->
if group.members is Empty:
goto failed
if user.group = group.gid:
goto found
if user in group.members:
goto found
I think A and B should be swapped, that way the logic looks like ->
if user.group = group.gid:
goto found
if group.members is empty:
goto failed
if user in group.members:
goto found
Patch attached with submission follows:
diff -cru libpam/modules/pam_group/pam_group.c /home/siflus/pam_group/pam_group.c
--- libpam/modules/pam_group/pam_group.c Thu Dec 11 08:55:15 2003
+++ /home/siflus/pam_group/pam_group.c Wed Feb 21 21:02:13 2007
@@ -80,13 +80,14 @@
if ((grp = getgrnam(group)) == NULL || grp->gr_mem == NULL)
goto failed;
- /* check if the group is empty */
- if (*grp->gr_mem == NULL)
- goto failed;
-
/* check membership */
if (pwd->pw_gid == grp->gr_gid)
goto found;
+
+ /* check if there are no members in the group */
+ if (*grp->gr_mem == NULL)
+ goto failed;
+
for (list = grp->gr_mem; *list != NULL; ++list)
if (strcmp(*list, pwd->pw_name) == 0)
goto found;
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list