10.1 BETA2 World - Breaks saslauthd
Dag-Erling Smørgrav
des at des.no
Fri Sep 26 07:08:41 UTC 2014
Brandon Allbery <allbery.b at gmail.com> writes:
> To me the implication is that before the MFC, PAM had a potentially
> quite severe security issue involving either incorrect fallback to a
> default configuration or not correctly handling error returns from a
> PAM stack --- either of which could result in unauthorized users being
> permitted access.
No, that's a different issue. This patch fixes a potential segfault
(see http://bugs.freebsd.org/83099). However, I have recevied reports
that gdm (amongst others) actually want to be able to call
pam_login_access without a host or tty. The following patch makes that
possible:
Index: lib/libpam/modules/pam_login_access/pam_login_access.c
===================================================================
--- lib/libpam/modules/pam_login_access/pam_login_access.c (revision 272101)
+++ lib/libpam/modules/pam_login_access/pam_login_access.c (working copy)
@@ -94,8 +94,10 @@
PAM_VERBOSE_ERROR("%s is not allowed to log in on %s",
user, tty);
} else {
- PAM_VERBOSE_ERROR("PAM_RHOST or PAM_TTY required");
- return (PAM_AUTHINFO_UNAVAIL);
+ PAM_LOG("Checking login.access for user %s", user);
+ if (login_access(user, "***unknown***") != 0)
+ return (PAM_SUCCESS);
+ PAM_VERBOSE_ERROR("%s is not allowed to log in", user);
}
return (PAM_AUTH_ERR);
Please test and report as soon as possible so I can get it into 10.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the freebsd-stable
mailing list