misc/169681: Made OPIE support tunable at kernel level
Zak Blacher
zblacher at sandvine.com
Fri Jul 6 13:30:12 UTC 2012
>Number: 169681
>Category: misc
>Synopsis: Made OPIE support tunable at kernel level
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jul 06 13:30:12 UTC 2012
>Closed-Date:
>Last-Modified:
>Originator: Zak Blacher
>Release: releng_9
>Organization:
Sandvine Corporation
>Environment:
>Description:
re: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938
Added option to completely remove opie related libraries and executables.
>How-To-Repeat:
>Fix:
Patch attached with submission follows:
Index: usr.bin/telnet/Makefile
===================================================================
--- usr.bin/telnet/Makefile (revision 238117)
+++ usr.bin/telnet/Makefile (working copy)
@@ -10,7 +10,7 @@
SRCS= commands.c main.c network.c ring.c sys_bsd.c \
telnet.c terminal.c utilities.c
-CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK -DOPIE \
+CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK \
-I${TELNETDIR} -I${TELNETDIR}/libtelnet/
.if ${MK_INET6_SUPPORT} != "no"
@@ -49,4 +49,8 @@
.endif
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+CFLAGS+= -DOPIE
+.endif
+
.include <bsd.prog.mk>
Index: usr.bin/Makefile
===================================================================
--- usr.bin/Makefile (revision 238117)
+++ usr.bin/Makefile (working copy)
@@ -143,7 +143,6 @@
split \
stat \
su \
- systat \
tabs \
tail \
talk \
@@ -341,6 +340,12 @@
SUBDIR+= wtmpcvt
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+_opieinfo= opieinfo
+_opiekey= opiekey
+_opiepasswd= opiepasswd
+.endif
+
.include <bsd.arch.inc.mk>
SUBDIR:= ${SUBDIR:O}
Index: gnu/usr.bin/Makefile
===================================================================
--- gnu/usr.bin/Makefile (revision 238117)
+++ gnu/usr.bin/Makefile (working copy)
@@ -18,7 +18,6 @@
sdiff \
send-pr \
sort \
- ${_texinfo}
.if ${MK_CXX} != "no"
_gperf= gperf
Index: share/mk/bsd.own.mk
===================================================================
--- share/mk/bsd.own.mk (revision 238117)
+++ share/mk/bsd.own.mk (working copy)
@@ -373,6 +373,7 @@
NTP \
OPENSSH \
OPENSSL \
+ OPIE \
PAM \
PF \
PKGTOOLS \
@@ -570,6 +571,7 @@
KERBEROS \
KVM \
NETGRAPH \
+ OPIE \
PAM \
WIRELESS
.if defined(WITH_${var}_SUPPORT) && defined(WITHOUT_${var}_SUPPORT)
Index: share/mk/bsd.libnames.mk
===================================================================
--- share/mk/bsd.libnames.mk (revision 238117)
+++ share/mk/bsd.libnames.mk (working copy)
@@ -116,7 +116,7 @@
LIBPAM+= ${LIBRADIUS} ${LIBTACPLUS} ${LIBCRYPT} \
${LIBUTIL} ${LIBOPIE} ${LIBMD}
MINUSLPAM+= -lradius -ltacplus -lcrypt \
- -lutil -lopie -lmd
+ -lutil -lmd
.if ${MK_OPENSSH} != "no"
LIBPAM+= ${LIBSSH} ${LIBCRYPTO} ${LIBCRYPT}
MINUSLPAM+= -lssh -lcrypto -lcrypt
Index: lib/Makefile
===================================================================
--- lib/Makefile (revision 238117)
+++ lib/Makefile (working copy)
@@ -86,7 +86,7 @@
${_libmp} \
${_libncp} \
${_libngatm} \
- libopie \
+ ${_libopie} \
libpam \
libpcap \
${_libpmc} \
@@ -230,4 +230,8 @@
_libusb= libusb
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+_libopie= libopie
+.endif
+
.include <bsd.subdir.mk>
Index: lib/libpam/modules/modules.inc
===================================================================
--- lib/libpam/modules/modules.inc (revision 238117)
+++ lib/libpam/modules/modules.inc (working copy)
@@ -17,8 +17,10 @@
MODULES += pam_lastlog
MODULES += pam_login_access
MODULES += pam_nologin
+.if ${MK_OPIE_SUPPORT} != "no"
MODULES += pam_opie
MODULES += pam_opieaccess
+.endif
MODULES += pam_passwdqc
MODULES += pam_permit
MODULES += pam_radius
Index: etc/Makefile
===================================================================
--- etc/Makefile (revision 238117)
+++ etc/Makefile (working copy)
@@ -108,6 +108,9 @@
.if ${MK_SENDMAIL} != "no"
MTREE+= BSD.sendmail.dist
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+MTREE+= BSD.opie.dist
+.endif
.if ${MK_BIND} != "no"
MTREE+= BIND.chroot.dist
.if ${MK_BIND_LIBS} != "no"
@@ -160,7 +163,8 @@
${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 755 \
${BIN2} ${DESTDIR}/etc; \
${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
- master.passwd nsmb.conf opieaccess ${DESTDIR}/etc;
+ master.passwd nsmb.conf ${DESTDIR}/etc; \
+
.if ${MK_AT} == "no"
sed -i "" -e 's;.*/usr/libexec/atrun;#&;' ${DESTDIR}/etc/crontab
.endif
@@ -207,6 +211,10 @@
cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \
${SSL} ${DESTDIR}/etc/ssl
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+ cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
+ opieaccess ${DESTDIR}/etc
+.endif
.if ${MK_KERBEROS} != "no"
cd ${.CURDIR}/root; \
${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \
@@ -281,6 +289,9 @@
.if ${MK_SENDMAIL} != "no"
mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.sendmail.dist -p ${DESTDIR}/
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+ mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.opie.dist -p ${DESTDIR}/
+.endif
cd ${DESTDIR}/; rm -f ${DESTDIR}/sys; ln -s usr/src/sys sys
cd ${DESTDIR}/usr/share/man/en.ISO8859-1; ln -sf ../man* .
cd ${DESTDIR}/usr/share/man/en.UTF-8; ln -sf ../man* .
@@ -312,7 +323,7 @@
etc-examples:
cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 \
- ${BIN1} ${BIN2} nsmb.conf opieaccess \
+ ${BIN1} ${BIN2} nsmb.conf \
${DESTDIR}/usr/share/examples/etc
${_+_}cd ${.CURDIR}/defaults; ${MAKE} install \
DESTDIR=${DESTDIR}/usr/share/examples
Index: etc/mtree/BSD.var.dist
===================================================================
--- etc/mtree/BSD.var.dist (revision 238117)
+++ etc/mtree/BSD.var.dist (working copy)
@@ -79,8 +79,6 @@
..
mqueue
..
- opielocks mode=0700
- ..
output
lpd
..
Index: etc/mtree/BSD.opie.dist
===================================================================
--- etc/mtree/BSD.opie.dist (revision 0)
+++ etc/mtree/BSD.opie.dist (revision 0)
@@ -0,0 +1,15 @@
+# $FreeBSD$
+#
+# Please see the file src/etc/mtree/README before making changes to this file.
+#
+
+/set type=dir uname=root gname=wheel mode=0755
+. nochange
+ var nochange
+ spool nochange
+ opielocks gname=daemon mode=0700
+ ..
+ ..
+ ..
+..
+
Index: libexec/lukemftpd/Makefile
===================================================================
--- libexec/lukemftpd/Makefile (revision 238117)
+++ libexec/lukemftpd/Makefile (working copy)
@@ -1,8 +1,6 @@
# @(#)Makefile 8.2 (Berkeley) 4/4/94
# $FreeBSD$
-.include <bsd.own.mk>
-
LUKEMFTPD= ${.CURDIR}/../../contrib/lukemftpd
.PATH: ${LUKEMFTPD}/src ${LUKEMFTPD}/libnetbsd
@@ -14,7 +12,7 @@
WFORMAT= 0
-.if ${MK_INET6_SUPPORT} != "no"
+.if !defined(NO_INET6)
CFLAGS+= -DINET6
.endif
@@ -33,16 +31,22 @@
DPADD+= ${LIBM}
LDADD+= -lm
-CFLAGS+= -DUSE_OPIE -DLOGIN_CAP
-DPADD+= ${LIBOPIE} ${LIBMD}
-LDADD+= -lopie -lmd
+CFLAGS+= -DLOGIN_CAP
+DPADD+= ${LIBMD}
+LDADD+= -lmd
-.if ${MK_PAM_SUPPORT} != "no"
+.if !defined(NO_PAM)
CFLAGS+= -DUSE_PAM
DPADD+= ${LIBPAM}
LDADD+= ${MINUSLPAM}
.endif
+.if !defined(NO_OPIE)
+CFLAGS+= -DUSE_OPIE
+DPADD+= ${LIBOPIE}
+LDADD+= -lopie
+.endif
+
CLEANFILES+= ls-unmain.c
ls-unmain.c: ls.c
sed -e 's/^main(/ls_main(/g' -e 's,extern.h,${LSDIR}/extern.h,' \
@@ -58,3 +62,4 @@
.include <bsd.prog.mk>
${OBJS}: ${.CURDIR}/nbsd2fbsd.h
+
Index: libexec/ftpd/Makefile
===================================================================
--- libexec/ftpd/Makefile (revision 238117)
+++ libexec/ftpd/Makefile (working copy)
@@ -17,8 +17,8 @@
LDADD= -lutil -lcrypt
# XXX Kluge! Conversation mechanism needs to be fixed.
-DPADD+= ${LIBOPIE} ${LIBMD}
-LDADD+= -lopie -lmd
+DPADD+= ${LIBMD}
+LDADD+= -lmd
LSDIR= ../../bin/ls
.PATH: ${.CURDIR}/${LSDIR}
@@ -33,8 +33,14 @@
.if ${MK_PAM_SUPPORT} != "no"
CFLAGS+=-DUSE_PAM
-DPADD+= ${LIBPAM}
-LDADD+= ${MINUSLPAM}
+DPADD+= ${LIBPAM}
+LDADD+= ${MINUSLPAM}
.endif
+.if ${MK_OPIE_SUPPORT} != "no"
+CFLAGS+= -DUSE_OPIE
+DPADD+= ${LIBOPIE}
+LDADD+= -lopie
+.endif
+
.include <bsd.prog.mk>
Index: libexec/ftpd/ftpd.c
===================================================================
--- libexec/ftpd/ftpd.c (revision 238117)
+++ libexec/ftpd/ftpd.c (working copy)
@@ -79,7 +79,6 @@
#include <netdb.h>
#include <pwd.h>
#include <grp.h>
-#include <opie.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
@@ -97,6 +96,10 @@
#include <security/pam_appl.h>
#endif
+#ifdef USE_OPIE
+#include <opie.h>
+#endif
+
#include "pathnames.h"
#include "extern.h"
@@ -105,6 +108,9 @@
static char version[] = "Version 6.00LS";
#undef main
+extern off_t restart_point;
+extern char cbuf[];
+
union sockunion ctrl_addr;
union sockunion data_source;
union sockunion data_dest;
@@ -180,8 +186,11 @@
pam_handle_t *pamh = NULL;
#endif
+#ifdef USE_OPIE
static struct opie opiedata;
static char opieprompt[OPIE_CHALLENGE_MAX+1];
+#endif
+
static int pwok;
char *pid_file = NULL; /* means default location to pidfile(3) */
@@ -1068,13 +1077,18 @@
#ifdef USE_PAM
/* XXX Kluge! The conversation mechanism needs to be fixed. */
#endif
+
+#ifdef USE_OPIE
if (opiechallenge(&opiedata, name, opieprompt) == 0) {
pwok = (pw != NULL) &&
opieaccessfile(remotehost) &&
opiealways(pw->pw_dir);
reply(331, "Response to %s %s for %s.",
opieprompt, pwok ? "requested" : "required", name);
- } else {
+ }
+ else
+#endif
+ {
pwok = 1;
reply(331, "Password required for %s.", name);
}
@@ -1392,13 +1406,18 @@
#ifdef USE_PAM
rval = auth_pam(&pw, passwd);
if (rval >= 0) {
+#ifdef USE_OPIE
opieunlock();
+#endif
goto skip;
}
#endif
+#ifdef USE_OPIE
if (opieverify(&opiedata, passwd) == 0)
xpasswd = pw->pw_passwd;
- else if (pwok) {
+ else
+#endif
+ if (pwok) {
xpasswd = crypt(passwd, pw->pw_passwd);
if (passwd[0] == '\0' && pw->pw_passwd[0] != '\0')
xpasswd = ":";
@@ -1562,7 +1581,6 @@
reply(550, "Can't change root.");
goto bad;
}
- __FreeBSD_libc_enter_restricted_mode();
} else /* real user w/o chroot */
homedir = pw->pw_dir;
/*
@@ -1893,12 +1911,20 @@
#ifdef TCP_NOPUSH
/*
* Turn off push flag to keep sender TCP from sending short packets
- * at the boundaries of each write().
+ * at the boundaries of each write(). Should probably do a SO_SNDBUF
+ * to set the send buffer size as well, but that may not be desirable
+ * in heavy-load situations.
*/
on = 1;
if (setsockopt(s, IPPROTO_TCP, TCP_NOPUSH, &on, sizeof on) < 0)
syslog(LOG_WARNING, "data setsockopt (TCP_NOPUSH): %m");
#endif
+#ifdef SO_SNDBUF
+ on = 65536;
+ if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, &on, sizeof on) < 0)
+ syslog(LOG_WARNING, "data setsockopt (SO_SNDBUF): %m");
+#endif
+
return (fdopen(s, mode));
bad:
/* Return the real value of errno (close may change it) */
@@ -3490,3 +3516,4 @@
}
return(socks);
}
+
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list