misc/169645: Made OPIE support tunable at kernel level
Zak Blacher
zblacher at sandvine.com
Wed Jul 4 14:30:08 UTC 2012
>Number: 169645
>Category: misc
>Synopsis: Made OPIE support tunable at kernel level
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jul 04 14:30:07 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Zak Blacher
>Release: FreeBSD 8.2
>Organization:
Sandvine Corporation
>Environment:
FreeBSD xxxxxxxxx.sandvine.com 8.2-RELEASE FreeBSD 8.2-RELEASE (GENERIC amd64) amd64
>Description:
re: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938
Added option to completely remove opie related libraries and executables.
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
Index: usr.bin/telnet/Makefile
===================================================================
--- usr.bin/telnet/Makefile (revision 237654)
+++ usr.bin/telnet/Makefile (working copy)
@@ -10,7 +10,7 @@
SRCS= commands.c main.c network.c ring.c sys_bsd.c \
telnet.c terminal.c utilities.c
-CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK -DOPIE \
+CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK \
-I${TELNETDIR} -I${TELNETDIR}/libtelnet/
.if ${MK_INET6_SUPPORT} != "no"
@@ -47,4 +47,8 @@
.endif
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+CFLAGS+= -DOPIE
+.endif
+
.include <bsd.prog.mk>
Index: usr.bin/Makefile
===================================================================
--- usr.bin/Makefile (revision 237654)
+++ usr.bin/Makefile (working copy)
@@ -143,9 +143,9 @@
nohup \
${_nslookup} \
${_nsupdate} \
- opieinfo \
- opiekey \
- opiepasswd \
+ ${_opieinfo} \
+ ${_opiekey} \
+ ${_opiepasswd} \
pagesize \
passwd \
paste \
@@ -178,7 +178,6 @@
split \
stat \
su \
- systat \
tabs \
tail \
talk \
@@ -390,4 +389,10 @@
_smbutil= smbutil
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+_opieinfo= opieinfo
+_opiekey= opiekey
+_opiepasswd= opiepasswd
+.endif
+
.include <bsd.subdir.mk>
Index: share/mk/bsd.own.mk
===================================================================
--- share/mk/bsd.own.mk (revision 237654)
+++ share/mk/bsd.own.mk (working copy)
@@ -357,6 +357,7 @@
OBJC \
OPENSSH \
OPENSSL \
+ OPIE \
PAM \
PF \
PKGTOOLS \
@@ -505,6 +506,7 @@
KERBEROS \
KVM \
NETGRAPH \
+ OPIE \
PAM \
WIRELESS
.if defined(WITH_${var}_SUPPORT) && defined(WITHOUT_${var}_SUPPORT)
Index: share/mk/bsd.libnames.mk
===================================================================
--- share/mk/bsd.libnames.mk (revision 237654)
+++ share/mk/bsd.libnames.mk (working copy)
@@ -101,7 +101,11 @@
LIBNGATM?= ${DESTDIR}${LIBDIR}/libngatm.a
LIBNVPAIR?= ${DESTDIR}${LIBDIR}/libnvpair.a
LIBOBJC?= ${DESTDIR}${LIBDIR}/libobjc.a
+.if ${MK_OPIE_SUPPORT} != "no"
LIBOPIE?= ${DESTDIR}${LIBDIR}/libopie.a
+LIBPAM+= ${LIBOPIE}
+MINUSLPAM+= -lopie
+.endif
# The static PAM library doesn't know its secondary dependencies,
# so we have to specify them explicitly.
@@ -116,7 +120,7 @@
LIBPAM+= ${LIBRADIUS} ${LIBTACPLUS} ${LIBCRYPT} \
${LIBUTIL} ${LIBOPIE} ${LIBMD}
MINUSLPAM+= -lradius -ltacplus -lcrypt \
- -lutil -lopie -lmd
+ -lutil -lmd
.if ${MK_OPENSSH} != "no"
LIBPAM+= ${LIBSSH} ${LIBCRYPTO} ${LIBCRYPT}
MINUSLPAM+= -lssh -lcrypto -lcrypt
Index: lib/Makefile
===================================================================
--- lib/Makefile (revision 237654)
+++ lib/Makefile (working copy)
@@ -82,7 +82,7 @@
${_libmp} \
${_libncp} \
${_libngatm} \
- libopie \
+ ${_libopie} \
libpam \
libpcap \
${_libpmc} \
@@ -202,4 +202,8 @@
_libusb= libusb
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+_libopie= libopie
+.endif
+
.include <bsd.subdir.mk>
Index: lib/libpam/modules/modules.inc
===================================================================
--- lib/libpam/modules/modules.inc (revision 237654)
+++ lib/libpam/modules/modules.inc (working copy)
@@ -17,8 +17,10 @@
MODULES += pam_lastlog
MODULES += pam_login_access
MODULES += pam_nologin
+.if ${MK_OPIE_SUPPORT} != "no"
MODULES += pam_opie
MODULES += pam_opieaccess
+.endif
MODULES += pam_passwdqc
MODULES += pam_permit
MODULES += pam_radius
Index: etc/Makefile
===================================================================
--- etc/Makefile (revision 237654)
+++ etc/Makefile (working copy)
@@ -104,6 +104,9 @@
.if ${MK_SENDMAIL} != "no"
MTREE+= BSD.sendmail.dist
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+MTREE+= BSD.opie.dist
+.endif
.if ${MK_BIND} != "no"
MTREE+= BIND.chroot.dist
.if ${MK_BIND_LIBS} != "no"
@@ -156,7 +159,8 @@
${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 755 \
${BIN2} ${DESTDIR}/etc; \
${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
- master.passwd nsmb.conf opieaccess ${DESTDIR}/etc;
+ master.passwd nsmb.conf ${DESTDIR}/etc; \
+
.if ${MK_AT} == "no"
sed -i "" -e 's;.*/usr/libexec/atrun;#&;' ${DESTDIR}/etc/crontab
.endif
@@ -203,6 +207,10 @@
cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \
${SSL} ${DESTDIR}/etc/ssl
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+ cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
+ opieaccess ${DESTDIR}/etc
+.endif
.if ${MK_KERBEROS} != "no"
cd ${.CURDIR}/root; \
${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \
@@ -270,6 +278,9 @@
.if ${MK_SENDMAIL} != "no"
mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.sendmail.dist -p ${DESTDIR}/
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+ mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.opie.dist -p ${DESTDIR}/
+.endif
cd ${DESTDIR}/; rm -f ${DESTDIR}/sys; ln -s usr/src/sys sys
cd ${DESTDIR}/usr/share/man/en.ISO8859-1; ln -sf ../man* .
cd ${DESTDIR}/usr/share/man/en.UTF-8; ln -sf ../man* .
@@ -301,7 +312,7 @@
etc-examples:
cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 \
- ${BIN1} ${BIN2} nsmb.conf opieaccess \
+ ${BIN1} ${BIN2} nsmb.conf \
${DESTDIR}/usr/share/examples/etc
${_+_}cd ${.CURDIR}/defaults; ${MAKE} install \
DESTDIR=${DESTDIR}/usr/share/examples
Index: etc/mtree/BSD.var.dist
===================================================================
--- etc/mtree/BSD.var.dist (revision 237654)
+++ etc/mtree/BSD.var.dist (working copy)
@@ -77,8 +77,6 @@
..
mqueue
..
- opielocks mode=0700
- ..
output
lpd
..
Index: etc/mtree/BSD.opie.dist
===================================================================
--- etc/mtree/BSD.opie.dist (revision 0)
+++ etc/mtree/BSD.opie.dist (revision 0)
@@ -0,0 +1,15 @@
+# $FreeBSD$
+#
+# Please see the file src/etc/mtree/README before making changes to this file.
+#
+
+/set type=dir uname=root gname=wheel mode=0755
+. nochange
+ var nochange
+ spool nochange
+ opielocks gname=daemon mode=0700
+ ..
+ ..
+ ..
+..
+
Index: etc/mtree/Makefile
===================================================================
--- etc/mtree/Makefile (revision 237654)
+++ etc/mtree/Makefile (working copy)
@@ -10,6 +10,7 @@
BSD.usr.dist \
BSD.var.dist \
BSD.x11-4.dist \
+ BSD.opie.dist \
BSD.x11.dist
.if ${MK_BIND} != "no"
Index: libexec/lukemftpd/Makefile
===================================================================
--- libexec/lukemftpd/Makefile (revision 237654)
+++ libexec/lukemftpd/Makefile (working copy)
@@ -1,8 +1,6 @@
# @(#)Makefile 8.2 (Berkeley) 4/4/94
# $FreeBSD$
-.include <bsd.own.mk>
-
LUKEMFTPD= ${.CURDIR}/../../contrib/lukemftpd
.PATH: ${LUKEMFTPD}/src ${LUKEMFTPD}/libnetbsd
@@ -14,7 +12,7 @@
WFORMAT= 0
-.if ${MK_INET6_SUPPORT} != "no"
+.if !defined(NO_INET6)
CFLAGS+= -DINET6
.endif
@@ -33,16 +31,22 @@
DPADD+= ${LIBM}
LDADD+= -lm
-CFLAGS+= -DUSE_OPIE -DLOGIN_CAP
-DPADD+= ${LIBOPIE} ${LIBMD}
-LDADD+= -lopie -lmd
+CFLAGS+= -DLOGIN_CAP
+DPADD+= ${LIBMD}
+LDADD+= -lmd
-.if ${MK_PAM_SUPPORT} != "no"
+.if !defined(NO_PAM)
CFLAGS+= -DUSE_PAM
DPADD+= ${LIBPAM}
LDADD+= ${MINUSLPAM}
.endif
+.if !defined(NO_OPIE)
+CFLAGS+= -DUSE_OPIE
+DPADD+= ${LIBOPIE}
+LDADD+= -lopie
+.endif
+
CLEANFILES+= ls-unmain.c
ls-unmain.c: ls.c
sed -e 's/^main(/ls_main(/g' -e 's,extern.h,${LSDIR}/extern.h,' \
@@ -58,3 +62,4 @@
.include <bsd.prog.mk>
${OBJS}: ${.CURDIR}/nbsd2fbsd.h
+
Index: libexec/ftpd/Makefile
===================================================================
--- libexec/ftpd/Makefile (revision 237654)
+++ libexec/ftpd/Makefile (working copy)
@@ -17,8 +17,8 @@
LDADD= -lutil -lcrypt
# XXX Kluge! Conversation mechanism needs to be fixed.
-DPADD+= ${LIBOPIE} ${LIBMD}
-LDADD+= -lopie -lmd
+DPADD+= ${LIBMD}
+LDADD+= -lmd
LSDIR= ../../bin/ls
.PATH: ${.CURDIR}/${LSDIR}
@@ -33,8 +33,14 @@
.if ${MK_PAM_SUPPORT} != "no"
CFLAGS+=-DUSE_PAM
-DPADD+= ${LIBPAM}
-LDADD+= ${MINUSLPAM}
+DPADD+= ${LIBPAM}
+LDADD+= ${MINUSLPAM}
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+CFLAGS+= -DUSE_OPIE
+DPADD+= ${LIBOPIE}
+LDADD+= -lopie
+.endif
+
.include <bsd.prog.mk>
Index: libexec/ftpd/ftpd.c
===================================================================
--- libexec/ftpd/ftpd.c (revision 237654)
+++ libexec/ftpd/ftpd.c (working copy)
@@ -79,7 +79,6 @@
#include <netdb.h>
#include <pwd.h>
#include <grp.h>
-#include <opie.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
@@ -97,6 +96,10 @@
#include <security/pam_appl.h>
#endif
+#ifdef USE_OPIE
+#include <opie.h>
+#endif
+
#include "pathnames.h"
#include "extern.h"
@@ -105,6 +108,9 @@
static char version[] = "Version 6.00LS";
#undef main
+extern off_t restart_point;
+extern char cbuf[];
+
union sockunion ctrl_addr;
union sockunion data_source;
union sockunion data_dest;
@@ -181,8 +187,11 @@
pam_handle_t *pamh = NULL;
#endif
+#ifdef USE_OPIE
static struct opie opiedata;
static char opieprompt[OPIE_CHALLENGE_MAX+1];
+#endif
+
static int pwok;
char *pid_file = NULL; /* means default location to pidfile(3) */
@@ -245,7 +254,7 @@
static void maskurg(int);
static void flagxfer(int);
static int myoob(void);
-static int checkuser(char *, char *, int, char **);
+static int checkuser(char *, char *, int, char **, int *);
static FILE *dataconn(char *, off_t, char *);
static void dolog(struct sockaddr *);
static void end_login(void);
@@ -998,6 +1007,7 @@
void
user(char *name)
{
+ int ecode;
char *cp, *shell;
if (logged_in) {
@@ -1018,9 +1028,12 @@
pw = sgetpwnam("ftp");
#endif
if (strcmp(name, "ftp") == 0 || strcmp(name, "anonymous") == 0) {
- if (checkuser(_PATH_FTPUSERS, "ftp", 0, NULL) ||
- checkuser(_PATH_FTPUSERS, "anonymous", 0, NULL))
+ if (checkuser(_PATH_FTPUSERS, "ftp", 0, NULL, &ecode) ||
+ (ecode != 0 && ecode != ENOENT))
reply(530, "User %s access denied.", name);
+ else if (checkuser(_PATH_FTPUSERS, "anonymous", 0, NULL, &ecode) ||
+ (ecode != 0 && ecode != ENOENT))
+ reply(530, "User %s access denied.", name);
else if (pw != NULL) {
guest = 1;
askpasswd = 1;
@@ -1047,7 +1060,9 @@
break;
endusershell();
- if (cp == NULL || checkuser(_PATH_FTPUSERS, name, 1, NULL)) {
+ if (cp == NULL ||
+ (checkuser(_PATH_FTPUSERS, name, 1, NULL, &ecode) ||
+ (ecode != 0 && ecode != ENOENT))) {
reply(530, "User %s access denied.", name);
if (logging)
syslog(LOG_NOTICE,
@@ -1064,13 +1079,18 @@
#ifdef USE_PAM
/* XXX Kluge! The conversation mechanism needs to be fixed. */
#endif
+
+#ifdef USE_OPIE
if (opiechallenge(&opiedata, name, opieprompt) == 0) {
pwok = (pw != NULL) &&
opieaccessfile(remotehost) &&
opiealways(pw->pw_dir);
reply(331, "Response to %s %s for %s.",
opieprompt, pwok ? "requested" : "required", name);
- } else {
+ }
+ else
+#endif
+ {
pwok = 1;
reply(331, "Password required for %s.", name);
}
@@ -1089,13 +1109,15 @@
* of the matching line in "residue" if not NULL.
*/
static int
-checkuser(char *fname, char *name, int pwset, char **residue)
+checkuser(char *fname, char *name, int pwset, char **residue, int *ecode)
{
FILE *fd;
int found = 0;
size_t len;
char *line, *mp, *p;
+ if (ecode != NULL)
+ *ecode = 0;
if ((fd = fopen(fname, "r")) != NULL) {
while (!found && (line = fgetln(fd, &len)) != NULL) {
/* skip comments */
@@ -1164,7 +1186,8 @@
free(mp);
}
(void) fclose(fd);
- }
+ } else if (ecode != NULL)
+ *ecode = errno;
return (found);
}
@@ -1361,7 +1384,7 @@
void
pass(char *passwd)
{
- int rval;
+ int rval, ecode;
FILE *fd;
#ifdef LOGIN_CAP
login_cap_t *lc = NULL;
@@ -1385,13 +1408,18 @@
#ifdef USE_PAM
rval = auth_pam(&pw, passwd);
if (rval >= 0) {
+#ifdef USE_OPIE
opieunlock();
+#endif
goto skip;
}
#endif
+#ifdef USE_OPIE
if (opieverify(&opiedata, passwd) == 0)
xpasswd = pw->pw_passwd;
- else if (pwok) {
+ else
+#endif
+ if (pwok) {
xpasswd = crypt(passwd, pw->pw_passwd);
if (passwd[0] == '\0' && pw->pw_passwd[0] != '\0')
xpasswd = ":";
@@ -1492,11 +1520,21 @@
stats = 0;
dochroot =
- checkuser(_PATH_FTPCHROOT, pw->pw_name, 1, &residue)
+ checkuser(_PATH_FTPCHROOT, pw->pw_name, 1, &residue, &ecode)
#ifdef LOGIN_CAP /* Allow login.conf configuration as well */
|| login_getcapbool(lc, "ftp-chroot", 0)
#endif
;
+ /*
+ * It is possible that checkuser() failed to open the chroot file.
+ * If this is the case, report that logins are un-available, since we
+ * have no way of checking whether or not the user should be chrooted.
+ * We ignore ENOENT since it is not required that this file be present.
+ */
+ if (ecode != 0 && ecode != ENOENT) {
+ reply(530, "Login not available right now.");
+ return;
+ }
chrootdir = NULL;
/*
* For a chrooted local user,
@@ -1543,7 +1581,6 @@
reply(550, "Can't change root.");
goto bad;
}
- __FreeBSD_libc_enter_restricted_mode();
} else /* real user w/o chroot */
homedir = pw->pw_dir;
/*
@@ -1874,12 +1911,20 @@
#ifdef TCP_NOPUSH
/*
* Turn off push flag to keep sender TCP from sending short packets
- * at the boundaries of each write().
+ * at the boundaries of each write(). Should probably do a SO_SNDBUF
+ * to set the send buffer size as well, but that may not be desirable
+ * in heavy-load situations.
*/
on = 1;
if (setsockopt(s, IPPROTO_TCP, TCP_NOPUSH, &on, sizeof on) < 0)
syslog(LOG_WARNING, "data setsockopt (TCP_NOPUSH): %m");
#endif
+#ifdef SO_SNDBUF
+ on = 65536;
+ if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, &on, sizeof on) < 0)
+ syslog(LOG_WARNING, "data setsockopt (SO_SNDBUF): %m");
+#endif
+
return (fdopen(s, mode));
bad:
/* Return the real value of errno (close may change it) */
@@ -2331,6 +2376,10 @@
code = lstat(filename, &st) == 0 && S_ISDIR(st.st_mode) ? 212 : 213;
(void)snprintf(line, sizeof(line), _PATH_LS " -lgA %s", filename);
fin = ftpd_popen(line, "r");
+ if (fin == NULL) {
+ perror_reply(551, filename);
+ return;
+ }
lreply(code, "Status of %s:", filename);
atstart = 1;
while ((c = getc(fin)) != EOF) {
@@ -3467,3 +3516,4 @@
}
return(socks);
}
+
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list