10.1 BETA2 World - Breaks saslauthd

[Dag-Erling Smørgrav]

Brandon Allbery <allbery.b at gmail.com> writes:
> To me the implication is that before the MFC, PAM had a potentially
> quite severe security issue involving either incorrect fallback to a
> default configuration or not correctly handling error returns from a
> PAM stack --- either of which could result in unauthorized users being
> permitted access.

No, that's a different issue.  This patch fixes a potential segfault
(see http://bugs.freebsd.org/83099).  However, I have recevied reports
that gdm (amongst others) actually want to be able to call
pam_login_access without a host or tty.  The following patch makes that
possible:

Index: lib/libpam/modules/pam_login_access/pam_login_access.c
===================================================================
--- lib/libpam/modules/pam_login_access/pam_login_access.c	(revision 272101)
+++ lib/libpam/modules/pam_login_access/pam_login_access.c	(working copy)
@@ -94,8 +94,10 @@
 		PAM_VERBOSE_ERROR("%s is not allowed to log in on %s",
 		    user, tty);
 	} else {
-		PAM_VERBOSE_ERROR("PAM_RHOST or PAM_TTY required");
-		return (PAM_AUTHINFO_UNAVAIL);
+		PAM_LOG("Checking login.access for user %s", user);
+		if (login_access(user, "***unknown***") != 0)
+			return (PAM_SUCCESS);
+		PAM_VERBOSE_ERROR("%s is not allowed to log in", user);
 	}
 
 	return (PAM_AUTH_ERR);

Please test and report as soon as possible so I can get it into 10.

DES
-- 
Dag-Erling Smørgrav - des at des.no