tags 537848 patch
thanks
On Thu, Jul 23, 2009 at 12:41:05PM +0200, [email protected] wrote:
>
> On Tue, Jul 21, 2009 at 12:52:53PM +0200, Nicolas FRANCOIS (Nekral) wrote:
> > pam_securetty currently first checks if the user is valid and then checks
> > if the tty is secure.
>
> > pam_securetty should only avoid root's login on insecure tty.
> > pam_securetty can consider invalid users as possibly mis-typed root users,
> > but those invalid users should not be rejected (by pam_securetty) on
> > secure ttys.
>
> > This was triggered by the discussion on http://bugs.debian.org/531341
>
> I agree, the module should not enforce username checks on secure ttys. Any
> chance you could provide a patch for this? If not, I'll put it in my queue.
Here is a patch.
Cheers,
--
Nekral
Index: sid/modules/pam_securetty/pam_securetty.8.xml
===================================================================
--- sid.orig/modules/pam_securetty/pam_securetty.8.xml 2009-07-23
17:39:39.624159812 +0200
+++ sid/modules/pam_securetty/pam_securetty.8.xml 2009-07-23
17:40:05.924151717 +0200
@@ -116,7 +116,7 @@
</listitem>
</varlistentry>
<varlistentry>
- <term>PAM_IGNORE</term>
+ <term>PAM_USER_UNKNOWN</term>
<listitem>
<para>
The module could not find the user name in the
Index: sid/modules/pam_securetty/pam_securetty.c
===================================================================
--- sid.orig/modules/pam_securetty/pam_securetty.c 2009-07-23
17:39:36.904158303 +0200
+++ sid/modules/pam_securetty/pam_securetty.c 2009-07-23 17:48:55.596157670
+0200
@@ -82,13 +82,11 @@
}
user_pwd = pam_modutil_getpwnam(pamh, username);
- if (user_pwd == NULL) {
- return PAM_USER_UNKNOWN;
- } else if (user_pwd->pw_uid != 0) { /* If the user is not root,
- securetty's does not apply
- to them */
+ if (user_pwd != NULL && user_pwd->pw_uid != 0) {
+ /* If the user is not root, securetty's does not apply to them */
return PAM_SUCCESS;
}
+ /* The user is now either root or an invalid / mistyped username */
retval = pam_get_item(pamh, PAM_TTY, &void_uttyname);
uttyname = void_uttyname;
@@ -98,10 +96,13 @@
}
retval = _pammodutil_tty_secure(pamh, uttyname);
- if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) {
+ if ((user_pwd != NULL) && (retval == PAM_SUCCESS) && (ctrl &
PAM_DEBUG_ARG)) {
pam_syslog(pamh, LOG_DEBUG, "access allowed for '%s' on '%s'",
username, uttyname);
} else if (retval != PAM_SUCCESS) {
+ if (user_pwd == NULL) {
+ retval = PAM_USER_UNKNOWN;
+ }
pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !",
uttyname);
}