misc/169686: Made OPIE support tunable at kernel level
Oliver Pinter
oliver.pntr at gmail.com
Fri Jul 6 18:40:11 UTC 2012
The following reply was made to PR misc/169686; it has been noted by GNATS.
From: Oliver Pinter <oliver.pntr at gmail.com>
To: Zak Blacher <zblacher at sandvine.com>
Cc: freebsd-gnats-submit at freebsd.org
Subject: Re: misc/169686: Made OPIE support tunable at kernel level
Date: Fri, 6 Jul 2012 20:35:47 +0200
On 7/6/12, Zak Blacher <zblacher at sandvine.com> wrote:
>
>>Number: 169686
>>Category: misc
>>Synopsis: Made OPIE support tunable at kernel level
>>Confidential: no
>>Severity: non-critical
>>Priority: low
>>Responsible: freebsd-bugs
>>State: open
>>Quarter:
>>Keywords:
>>Date-Required:
>>Class: sw-bug
>>Submitter-Id: current-users
>>Arrival-Date: Fri Jul 06 17:20:02 UTC 2012
>>Closed-Date:
>>Last-Modified:
>>Originator: Zak Blacher
>>Release: releng 8.3
>>Organization:
> Sandvine Corporation
>>Environment:
> FreeBSD xxxxxxxx.sandvine.com 8.1-RELEASE FreeBSD 8.1-RELEASE (GENERIC
> amd64) amd64
>
>>Description:
> re: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938
>
> Added option to completely remove opie related libraries and executables.
>>How-To-Repeat:
>
>>Fix:
>
>
> Patch attached with submission follows:
>
> Index: usr.bin/telnet/Makefile
> ===================================================================
> --- usr.bin/telnet/Makefile (revision 238165)
> +++ usr.bin/telnet/Makefile (working copy)
> @@ -10,7 +10,7 @@
> SRCS= commands.c main.c network.c ring.c sys_bsd.c \
> telnet.c terminal.c utilities.c
>
> -CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK -DOPIE \
> +CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK \
> -I${TELNETDIR} -I${TELNETDIR}/libtelnet/
>
> .if ${MK_INET6_SUPPORT} != "no"
> @@ -47,4 +47,8 @@
> .endif
> .endif
>
> +.if ${MK_OPIE_SUPPORT} != "no"
> +CFLAGS+= -DOPIE
> +.endif
> +
> .include <bsd.prog.mk>
> Index: usr.bin/Makefile
> ===================================================================
> --- usr.bin/Makefile (revision 238165)
> +++ usr.bin/Makefile (working copy)
> @@ -143,9 +143,9 @@
> nohup \
> ${_nslookup} \
> ${_nsupdate} \
> - opieinfo \
> - opiekey \
> - opiepasswd \
> + ${_opieinfo} \
> + ${_opiekey} \
> + ${_opiepasswd} \
> pagesize \
> passwd \
> paste \
> @@ -178,7 +178,6 @@
> split \
> stat \
> su \
> - systat \
systat?
> tabs \
> tail \
> talk \
> @@ -391,4 +390,10 @@
> _smbutil= smbutil
> .endif
>
> +.if ${MK_OPIE_SUPPORT} != "no"
> +_opieinfo= opieinfo
> +_opiekey= opiekey
> +_opiepasswd= opiepasswd
> +.endif
> +
> .include <bsd.subdir.mk>
> Index: share/mk/bsd.own.mk
> ===================================================================
> --- share/mk/bsd.own.mk (revision 238165)
> +++ share/mk/bsd.own.mk (working copy)
> @@ -372,6 +372,7 @@
> OBJC \
> OPENSSH \
> OPENSSL \
> + OPIE \
> PAM \
> PF \
> PKGTOOLS \
> @@ -521,6 +522,7 @@
> KERBEROS \
> KVM \
> NETGRAPH \
> + OPIE \
> PAM \
> WIRELESS
> .if defined(WITH_${var}_SUPPORT) && defined(WITHOUT_${var}_SUPPORT)
> Index: share/mk/bsd.libnames.mk
> ===================================================================
> --- share/mk/bsd.libnames.mk (revision 238165)
> +++ share/mk/bsd.libnames.mk (working copy)
> @@ -101,7 +101,11 @@
> LIBNGATM?= ${DESTDIR}${LIBDIR}/libngatm.a
> LIBNVPAIR?= ${DESTDIR}${LIBDIR}/libnvpair.a
> LIBOBJC?= ${DESTDIR}${LIBDIR}/libobjc.a
> +.if ${MK_OPIE_SUPPORT} != "no"
> LIBOPIE?= ${DESTDIR}${LIBDIR}/libopie.a
> +LIBPAM+= ${LIBOPIE}
> +MINUSLPAM+= -lopie
> +.endif
>
> # The static PAM library doesn't know its secondary dependencies,
> # so we have to specify them explicitly.
> @@ -116,7 +120,7 @@
> LIBPAM+= ${LIBRADIUS} ${LIBTACPLUS} ${LIBCRYPT} \
> ${LIBUTIL} ${LIBOPIE} ${LIBMD}
> MINUSLPAM+= -lradius -ltacplus -lcrypt \
> - -lutil -lopie -lmd
> + -lutil -lmd
> .if ${MK_OPENSSH} != "no"
> LIBPAM+= ${LIBSSH} ${LIBCRYPTO} ${LIBCRYPT}
> MINUSLPAM+= -lssh -lcrypto -lcrypt
> Index: lib/Makefile
> ===================================================================
> --- lib/Makefile (revision 238165)
> +++ lib/Makefile (working copy)
> @@ -82,7 +82,7 @@
> ${_libmp} \
> ${_libncp} \
> ${_libngatm} \
> - libopie \
> + ${_libopie} \
> libpam \
> libpcap \
> ${_libpmc} \
> @@ -202,4 +202,8 @@
> _libusb= libusb
> .endif
>
> +.if ${MK_OPIE_SUPPORT} != "no"
> +_libopie= libopie
> +.endif
> +
> .include <bsd.subdir.mk>
> Index: lib/libpam/modules/modules.inc
> ===================================================================
> --- lib/libpam/modules/modules.inc (revision 238165)
> +++ lib/libpam/modules/modules.inc (working copy)
> @@ -17,8 +17,10 @@
> MODULES += pam_lastlog
> MODULES += pam_login_access
> MODULES += pam_nologin
> +.if ${MK_OPIE_SUPPORT} != "no"
> MODULES += pam_opie
> MODULES += pam_opieaccess
> +.endif
> MODULES += pam_passwdqc
> MODULES += pam_permit
> MODULES += pam_radius
> Index: etc/Makefile
> ===================================================================
> --- etc/Makefile (revision 238165)
> +++ etc/Makefile (working copy)
> @@ -104,6 +104,9 @@
> .if ${MK_SENDMAIL} != "no"
> MTREE+= BSD.sendmail.dist
> .endif
> +.if ${MK_OPIE_SUPPORT} != "no"
> +MTREE+= BSD.opie.dist
> +.endif
> .if ${MK_BIND} != "no"
> MTREE+= BIND.chroot.dist
> .if ${MK_BIND_LIBS} != "no"
> @@ -156,7 +159,8 @@
> ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 755 \
> ${BIN2} ${DESTDIR}/etc; \
> ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
> - master.passwd nsmb.conf opieaccess ${DESTDIR}/etc;
> + master.passwd nsmb.conf ${DESTDIR}/etc; \
> +
> .if ${MK_AT} == "no"
> sed -i "" -e 's;.*/usr/libexec/atrun;#&;' ${DESTDIR}/etc/crontab
> .endif
> @@ -203,6 +207,10 @@
> cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \
> ${SSL} ${DESTDIR}/etc/ssl
> .endif
> +.if ${MK_OPIE_SUPPORT} != "no"
> + cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \
> + opieaccess ${DESTDIR}/etc
> +.endif
> .if ${MK_KERBEROS} != "no"
> cd ${.CURDIR}/root; \
> ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \
> @@ -274,6 +282,9 @@
> .if ${MK_SENDMAIL} != "no"
> mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.sendmail.dist
> -p ${DESTDIR}/
> .endif
> +.if ${MK_OPIE_SUPPORT} != "no"
> + mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.opie.dist -p
> ${DESTDIR}/
> +.endif
> cd ${DESTDIR}/; rm -f ${DESTDIR}/sys; ln -s usr/src/sys sys
> cd ${DESTDIR}/usr/share/man/en.ISO8859-1; ln -sf ../man* .
> cd ${DESTDIR}/usr/share/man/en.UTF-8; ln -sf ../man* .
> @@ -305,7 +316,7 @@
>
> etc-examples:
> cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 \
> - ${BIN1} ${BIN2} nsmb.conf opieaccess \
> + ${BIN1} ${BIN2} nsmb.conf \
> ${DESTDIR}/usr/share/examples/etc
> ${_+_}cd ${.CURDIR}/defaults; ${MAKE} install \
> DESTDIR=${DESTDIR}/usr/share/examples
> Index: etc/mtree/BSD.var.dist
> ===================================================================
> --- etc/mtree/BSD.var.dist (revision 238165)
> +++ etc/mtree/BSD.var.dist (working copy)
> @@ -77,8 +77,6 @@
> ..
> mqueue
> ..
> - opielocks mode=0700
> - ..
> output
> lpd
> ..
> Index: etc/mtree/BSD.opie.dist
> ===================================================================
> --- etc/mtree/BSD.opie.dist (revision 0)
> +++ etc/mtree/BSD.opie.dist (revision 0)
> @@ -0,0 +1,15 @@
> +# $FreeBSD$
> +#
> +# Please see the file src/etc/mtree/README before making changes to this
> file.
> +#
> +
> +/set type=dir uname=root gname=wheel mode=0755
> +. nochange
> + var nochange
> + spool nochange
> + opielocks gname=daemon mode=0700
> + ..
> + ..
> + ..
> +..
> +
> Index: etc/mtree/Makefile
> ===================================================================
> --- etc/mtree/Makefile (revision 238165)
> +++ etc/mtree/Makefile (working copy)
> @@ -10,6 +10,7 @@
> BSD.usr.dist \
> BSD.var.dist \
> BSD.x11-4.dist \
> + BSD.opie.dist \
> BSD.x11.dist
>
> .if ${MK_BIND} != "no"
> Index: libexec/lukemftpd/Makefile
> ===================================================================
> --- libexec/lukemftpd/Makefile (revision 238165)
> +++ libexec/lukemftpd/Makefile (working copy)
> @@ -1,8 +1,6 @@
> # @(#)Makefile 8.2 (Berkeley) 4/4/94
> # $FreeBSD$
>
> -.include <bsd.own.mk>
> -
> LUKEMFTPD= ${.CURDIR}/../../contrib/lukemftpd
> .PATH: ${LUKEMFTPD}/src ${LUKEMFTPD}/libnetbsd
>
> @@ -14,7 +12,7 @@
>
> WFORMAT= 0
>
> -.if ${MK_INET6_SUPPORT} != "no"
> +.if !defined(NO_INET6)
> CFLAGS+= -DINET6
> .endif
>
> @@ -33,16 +31,22 @@
> DPADD+= ${LIBM}
> LDADD+= -lm
>
> -CFLAGS+= -DUSE_OPIE -DLOGIN_CAP
> -DPADD+= ${LIBOPIE} ${LIBMD}
> -LDADD+= -lopie -lmd
> +CFLAGS+= -DLOGIN_CAP
> +DPADD+= ${LIBMD}
> +LDADD+= -lmd
>
> -.if ${MK_PAM_SUPPORT} != "no"
> +.if !defined(NO_PAM)
> CFLAGS+= -DUSE_PAM
> DPADD+= ${LIBPAM}
> LDADD+= ${MINUSLPAM}
> .endif
>
> +.if !defined(NO_OPIE)
> +CFLAGS+= -DUSE_OPIE
> +DPADD+= ${LIBOPIE}
> +LDADD+= -lopie
> +.endif
> +
> CLEANFILES+= ls-unmain.c
> ls-unmain.c: ls.c
> sed -e 's/^main(/ls_main(/g' -e 's,extern.h,${LSDIR}/extern.h,' \
> @@ -58,3 +62,4 @@
> .include <bsd.prog.mk>
>
> ${OBJS}: ${.CURDIR}/nbsd2fbsd.h
> +
> Index: libexec/ftpd/Makefile
> ===================================================================
> --- libexec/ftpd/Makefile (revision 238165)
> +++ libexec/ftpd/Makefile (working copy)
> @@ -17,8 +17,8 @@
> LDADD= -lutil -lcrypt
>
> # XXX Kluge! Conversation mechanism needs to be fixed.
> -DPADD+= ${LIBOPIE} ${LIBMD}
> -LDADD+= -lopie -lmd
> +DPADD+= ${LIBMD}
> +LDADD+= -lmd
>
> LSDIR= ../../bin/ls
> .PATH: ${.CURDIR}/${LSDIR}
> @@ -33,8 +33,14 @@
>
> .if ${MK_PAM_SUPPORT} != "no"
> CFLAGS+=-DUSE_PAM
> -DPADD+= ${LIBPAM}
> -LDADD+= ${MINUSLPAM}
> +DPADD+= ${LIBPAM}
> +LDADD+= ${MINUSLPAM}
> .endif
>
> +.if ${MK_OPIE_SUPPORT} != "no"
> +CFLAGS+= -DUSE_OPIE
> +DPADD+= ${LIBOPIE}
> +LDADD+= -lopie
> +.endif
> +
> .include <bsd.prog.mk>
> Index: libexec/ftpd/ftpd.c
> ===================================================================
> --- libexec/ftpd/ftpd.c (revision 238165)
> +++ libexec/ftpd/ftpd.c (working copy)
> @@ -79,7 +79,6 @@
> #include <netdb.h>
> #include <pwd.h>
> #include <grp.h>
> -#include <opie.h>
> #include <signal.h>
> #include <stdint.h>
> #include <stdio.h>
> @@ -97,6 +96,10 @@
> #include <security/pam_appl.h>
> #endif
>
> +#ifdef USE_OPIE
> +#include <opie.h>
> +#endif
> +
> #include "pathnames.h"
> #include "extern.h"
>
> @@ -105,6 +108,9 @@
> static char version[] = "Version 6.00LS";
> #undef main
>
> +extern off_t restart_point;
> +extern char cbuf[];
> +
> union sockunion ctrl_addr;
> union sockunion data_source;
> union sockunion data_dest;
> @@ -181,8 +187,11 @@
> pam_handle_t *pamh = NULL;
> #endif
>
> +#ifdef USE_OPIE
> static struct opie opiedata;
> static char opieprompt[OPIE_CHALLENGE_MAX+1];
> +#endif
> +
> static int pwok;
>
> char *pid_file = NULL; /* means default location to pidfile(3) */
> @@ -245,7 +254,7 @@
> static void maskurg(int);
> static void flagxfer(int);
> static int myoob(void);
> -static int checkuser(char *, char *, int, char **);
> +static int checkuser(char *, char *, int, char **, int *);
> static FILE *dataconn(char *, off_t, char *);
> static void dolog(struct sockaddr *);
> static void end_login(void);
> @@ -998,6 +1007,7 @@
> void
> user(char *name)
> {
> + int ecode;
> char *cp, *shell;
>
> if (logged_in) {
> @@ -1018,9 +1028,12 @@
> pw = sgetpwnam("ftp");
> #endif
> if (strcmp(name, "ftp") == 0 || strcmp(name, "anonymous") == 0) {
> - if (checkuser(_PATH_FTPUSERS, "ftp", 0, NULL) ||
> - checkuser(_PATH_FTPUSERS, "anonymous", 0, NULL))
> + if (checkuser(_PATH_FTPUSERS, "ftp", 0, NULL, &ecode) ||
> + (ecode != 0 && ecode != ENOENT))
> reply(530, "User %s access denied.", name);
> + else if (checkuser(_PATH_FTPUSERS, "anonymous", 0, NULL, &ecode) ||
> + (ecode != 0 && ecode != ENOENT))
> + reply(530, "User %s access denied.", name);
> else if (pw != NULL) {
> guest = 1;
> askpasswd = 1;
> @@ -1047,7 +1060,9 @@
> break;
> endusershell();
>
> - if (cp == NULL || checkuser(_PATH_FTPUSERS, name, 1, NULL)) {
> + if (cp == NULL ||
> + (checkuser(_PATH_FTPUSERS, name, 1, NULL, &ecode) ||
> + (ecode != 0 && ecode != ENOENT))) {
> reply(530, "User %s access denied.", name);
> if (logging)
> syslog(LOG_NOTICE,
> @@ -1064,13 +1079,18 @@
> #ifdef USE_PAM
> /* XXX Kluge! The conversation mechanism needs to be fixed. */
> #endif
> +
> +#ifdef USE_OPIE
> if (opiechallenge(&opiedata, name, opieprompt) == 0) {
> pwok = (pw != NULL) &&
> opieaccessfile(remotehost) &&
> opiealways(pw->pw_dir);
> reply(331, "Response to %s %s for %s.",
> opieprompt, pwok ? "requested" : "required", name);
> - } else {
> + }
> + else
> +#endif
> + {
> pwok = 1;
> reply(331, "Password required for %s.", name);
> }
> @@ -1089,13 +1109,15 @@
> * of the matching line in "residue" if not NULL.
> */
> static int
> -checkuser(char *fname, char *name, int pwset, char **residue)
> +checkuser(char *fname, char *name, int pwset, char **residue, int *ecode)
> {
> FILE *fd;
> int found = 0;
> size_t len;
> char *line, *mp, *p;
>
> + if (ecode != NULL)
> + *ecode = 0;
> if ((fd = fopen(fname, "r")) != NULL) {
> while (!found && (line = fgetln(fd, &len)) != NULL) {
> /* skip comments */
> @@ -1164,7 +1186,8 @@
> free(mp);
> }
> (void) fclose(fd);
> - }
> + } else if (ecode != NULL)
> + *ecode = errno;
> return (found);
> }
>
> @@ -1361,7 +1384,7 @@
> void
> pass(char *passwd)
> {
> - int rval;
> + int rval, ecode;
> FILE *fd;
> #ifdef LOGIN_CAP
> login_cap_t *lc = NULL;
> @@ -1385,13 +1408,18 @@
> #ifdef USE_PAM
> rval = auth_pam(&pw, passwd);
> if (rval >= 0) {
> +#ifdef USE_OPIE
> opieunlock();
> +#endif
> goto skip;
> }
> #endif
> +#ifdef USE_OPIE
> if (opieverify(&opiedata, passwd) == 0)
> xpasswd = pw->pw_passwd;
> - else if (pwok) {
> + else
> +#endif
> + if (pwok) {
> xpasswd = crypt(passwd, pw->pw_passwd);
> if (passwd[0] == '\0' && pw->pw_passwd[0] != '\0')
> xpasswd = ":";
> @@ -1492,11 +1520,21 @@
> stats = 0;
>
> dochroot =
> - checkuser(_PATH_FTPCHROOT, pw->pw_name, 1, &residue)
> + checkuser(_PATH_FTPCHROOT, pw->pw_name, 1, &residue, &ecode)
> #ifdef LOGIN_CAP /* Allow login.conf configuration as well */
> || login_getcapbool(lc, "ftp-chroot", 0)
> #endif
> ;
> + /*
> + * It is possible that checkuser() failed to open the chroot file.
> + * If this is the case, report that logins are un-available, since we
> + * have no way of checking whether or not the user should be chrooted.
> + * We ignore ENOENT since it is not required that this file be present.
> + */
> + if (ecode != 0 && ecode != ENOENT) {
> + reply(530, "Login not available right now.");
> + return;
> + }
> chrootdir = NULL;
> /*
> * For a chrooted local user,
> @@ -1543,7 +1581,6 @@
> reply(550, "Can't change root.");
> goto bad;
> }
> - __FreeBSD_libc_enter_restricted_mode();
> } else /* real user w/o chroot */
> homedir = pw->pw_dir;
> /*
> @@ -1874,12 +1911,20 @@
> #ifdef TCP_NOPUSH
> /*
> * Turn off push flag to keep sender TCP from sending short packets
> - * at the boundaries of each write().
> + * at the boundaries of each write(). Should probably do a SO_SNDBUF
> + * to set the send buffer size as well, but that may not be desirable
> + * in heavy-load situations.
> */
> on = 1;
> if (setsockopt(s, IPPROTO_TCP, TCP_NOPUSH, &on, sizeof on) < 0)
> syslog(LOG_WARNING, "data setsockopt (TCP_NOPUSH): %m");
> #endif
> +#ifdef SO_SNDBUF
> + on = 65536;
> + if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, &on, sizeof on) < 0)
> + syslog(LOG_WARNING, "data setsockopt (SO_SNDBUF): %m");
> +#endif
> +
> return (fdopen(s, mode));
> bad:
> /* Return the real value of errno (close may change it) */
> @@ -3471,3 +3516,4 @@
> }
> return(socks);
> }
> +
>
>
>>Release-Note:
>>Audit-Trail:
>>Unformatted:
> _______________________________________________
> freebsd-bugs at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
> To unsubscribe, send any mail to "freebsd-bugs-unsubscribe at freebsd.org"
>
More information about the freebsd-bugs
mailing list