The following reply was made to PR misc/169686; it has been noted by GNATS.
From: Oliver Pinter <oliver.p...@gmail.com> To: Zak Blacher <zblac...@sandvine.com> Cc: freebsd-gnats-sub...@freebsd.org Subject: Re: misc/169686: Made OPIE support tunable at kernel level Date: Fri, 6 Jul 2012 20:35:47 +0200 On 7/6/12, Zak Blacher <zblac...@sandvine.com> wrote: > >>Number: 169686 >>Category: misc >>Synopsis: Made OPIE support tunable at kernel level >>Confidential: no >>Severity: non-critical >>Priority: low >>Responsible: freebsd-bugs >>State: open >>Quarter: >>Keywords: >>Date-Required: >>Class: sw-bug >>Submitter-Id: current-users >>Arrival-Date: Fri Jul 06 17:20:02 UTC 2012 >>Closed-Date: >>Last-Modified: >>Originator: Zak Blacher >>Release: releng 8.3 >>Organization: > Sandvine Corporation >>Environment: > FreeBSD xxxxxxxx.sandvine.com 8.1-RELEASE FreeBSD 8.1-RELEASE (GENERIC > amd64) amd64 > >>Description: > re: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1938 > > Added option to completely remove opie related libraries and executables. >>How-To-Repeat: > >>Fix: > > > Patch attached with submission follows: > > Index: usr.bin/telnet/Makefile > =================================================================== > --- usr.bin/telnet/Makefile (revision 238165) > +++ usr.bin/telnet/Makefile (working copy) > @@ -10,7 +10,7 @@ > SRCS= commands.c main.c network.c ring.c sys_bsd.c \ > telnet.c terminal.c utilities.c > > -CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK -DOPIE \ > +CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DENV_HACK \ > -I${TELNETDIR} -I${TELNETDIR}/libtelnet/ > > .if ${MK_INET6_SUPPORT} != "no" > @@ -47,4 +47,8 @@ > .endif > .endif > > +.if ${MK_OPIE_SUPPORT} != "no" > +CFLAGS+= -DOPIE > +.endif > + > .include <bsd.prog.mk> > Index: usr.bin/Makefile > =================================================================== > --- usr.bin/Makefile (revision 238165) > +++ usr.bin/Makefile (working copy) > @@ -143,9 +143,9 @@ > nohup \ > ${_nslookup} \ > ${_nsupdate} \ > - opieinfo \ > - opiekey \ > - opiepasswd \ > + ${_opieinfo} \ > + ${_opiekey} \ > + ${_opiepasswd} \ > pagesize \ > passwd \ > paste \ > @@ -178,7 +178,6 @@ > split \ > stat \ > su \ > - systat \ systat? > tabs \ > tail \ > talk \ > @@ -391,4 +390,10 @@ > _smbutil= smbutil > .endif > > +.if ${MK_OPIE_SUPPORT} != "no" > +_opieinfo= opieinfo > +_opiekey= opiekey > +_opiepasswd= opiepasswd > +.endif > + > .include <bsd.subdir.mk> > Index: share/mk/bsd.own.mk > =================================================================== > --- share/mk/bsd.own.mk (revision 238165) > +++ share/mk/bsd.own.mk (working copy) > @@ -372,6 +372,7 @@ > OBJC \ > OPENSSH \ > OPENSSL \ > + OPIE \ > PAM \ > PF \ > PKGTOOLS \ > @@ -521,6 +522,7 @@ > KERBEROS \ > KVM \ > NETGRAPH \ > + OPIE \ > PAM \ > WIRELESS > .if defined(WITH_${var}_SUPPORT) && defined(WITHOUT_${var}_SUPPORT) > Index: share/mk/bsd.libnames.mk > =================================================================== > --- share/mk/bsd.libnames.mk (revision 238165) > +++ share/mk/bsd.libnames.mk (working copy) > @@ -101,7 +101,11 @@ > LIBNGATM?= ${DESTDIR}${LIBDIR}/libngatm.a > LIBNVPAIR?= ${DESTDIR}${LIBDIR}/libnvpair.a > LIBOBJC?= ${DESTDIR}${LIBDIR}/libobjc.a > +.if ${MK_OPIE_SUPPORT} != "no" > LIBOPIE?= ${DESTDIR}${LIBDIR}/libopie.a > +LIBPAM+= ${LIBOPIE} > +MINUSLPAM+= -lopie > +.endif > > # The static PAM library doesn't know its secondary dependencies, > # so we have to specify them explicitly. > @@ -116,7 +120,7 @@ > LIBPAM+= ${LIBRADIUS} ${LIBTACPLUS} ${LIBCRYPT} \ > ${LIBUTIL} ${LIBOPIE} ${LIBMD} > MINUSLPAM+= -lradius -ltacplus -lcrypt \ > - -lutil -lopie -lmd > + -lutil -lmd > .if ${MK_OPENSSH} != "no" > LIBPAM+= ${LIBSSH} ${LIBCRYPTO} ${LIBCRYPT} > MINUSLPAM+= -lssh -lcrypto -lcrypt > Index: lib/Makefile > =================================================================== > --- lib/Makefile (revision 238165) > +++ lib/Makefile (working copy) > @@ -82,7 +82,7 @@ > ${_libmp} \ > ${_libncp} \ > ${_libngatm} \ > - libopie \ > + ${_libopie} \ > libpam \ > libpcap \ > ${_libpmc} \ > @@ -202,4 +202,8 @@ > _libusb= libusb > .endif > > +.if ${MK_OPIE_SUPPORT} != "no" > +_libopie= libopie > +.endif > + > .include <bsd.subdir.mk> > Index: lib/libpam/modules/modules.inc > =================================================================== > --- lib/libpam/modules/modules.inc (revision 238165) > +++ lib/libpam/modules/modules.inc (working copy) > @@ -17,8 +17,10 @@ > MODULES += pam_lastlog > MODULES += pam_login_access > MODULES += pam_nologin > +.if ${MK_OPIE_SUPPORT} != "no" > MODULES += pam_opie > MODULES += pam_opieaccess > +.endif > MODULES += pam_passwdqc > MODULES += pam_permit > MODULES += pam_radius > Index: etc/Makefile > =================================================================== > --- etc/Makefile (revision 238165) > +++ etc/Makefile (working copy) > @@ -104,6 +104,9 @@ > .if ${MK_SENDMAIL} != "no" > MTREE+= BSD.sendmail.dist > .endif > +.if ${MK_OPIE_SUPPORT} != "no" > +MTREE+= BSD.opie.dist > +.endif > .if ${MK_BIND} != "no" > MTREE+= BIND.chroot.dist > .if ${MK_BIND_LIBS} != "no" > @@ -156,7 +159,8 @@ > ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 755 \ > ${BIN2} ${DESTDIR}/etc; \ > ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \ > - master.passwd nsmb.conf opieaccess ${DESTDIR}/etc; > + master.passwd nsmb.conf ${DESTDIR}/etc; \ > + > .if ${MK_AT} == "no" > sed -i "" -e 's;.*/usr/libexec/atrun;#&;' ${DESTDIR}/etc/crontab > .endif > @@ -203,6 +207,10 @@ > cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \ > ${SSL} ${DESTDIR}/etc/ssl > .endif > +.if ${MK_OPIE_SUPPORT} != "no" > + cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 600 \ > + opieaccess ${DESTDIR}/etc > +.endif > .if ${MK_KERBEROS} != "no" > cd ${.CURDIR}/root; \ > ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 644 \ > @@ -274,6 +282,9 @@ > .if ${MK_SENDMAIL} != "no" > mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f > ${.CURDIR}/mtree/BSD.sendmail.dist > -p ${DESTDIR}/ > .endif > +.if ${MK_OPIE_SUPPORT} != "no" > + mtree -deU ${MTREE_FOLLOWS_SYMLINKS} -f ${.CURDIR}/mtree/BSD.opie.dist > -p > ${DESTDIR}/ > +.endif > cd ${DESTDIR}/; rm -f ${DESTDIR}/sys; ln -s usr/src/sys sys > cd ${DESTDIR}/usr/share/man/en.ISO8859-1; ln -sf ../man* . > cd ${DESTDIR}/usr/share/man/en.UTF-8; ln -sf ../man* . > @@ -305,7 +316,7 @@ > > etc-examples: > cd ${.CURDIR}; ${INSTALL} -o ${BINOWN} -g ${BINGRP} -m 444 \ > - ${BIN1} ${BIN2} nsmb.conf opieaccess \ > + ${BIN1} ${BIN2} nsmb.conf \ > ${DESTDIR}/usr/share/examples/etc > ${_+_}cd ${.CURDIR}/defaults; ${MAKE} install \ > DESTDIR=${DESTDIR}/usr/share/examples > Index: etc/mtree/BSD.var.dist > =================================================================== > --- etc/mtree/BSD.var.dist (revision 238165) > +++ etc/mtree/BSD.var.dist (working copy) > @@ -77,8 +77,6 @@ > .. > mqueue > .. > - opielocks mode=0700 > - .. > output > lpd > .. > Index: etc/mtree/BSD.opie.dist > =================================================================== > --- etc/mtree/BSD.opie.dist (revision 0) > +++ etc/mtree/BSD.opie.dist (revision 0) > @@ -0,0 +1,15 @@ > +# $FreeBSD$ > +# > +# Please see the file src/etc/mtree/README before making changes to this > file. > +# > + > +/set type=dir uname=root gname=wheel mode=0755 > +. nochange > + var nochange > + spool nochange > + opielocks gname=daemon mode=0700 > + .. > + .. > + .. > +.. > + > Index: etc/mtree/Makefile > =================================================================== > --- etc/mtree/Makefile (revision 238165) > +++ etc/mtree/Makefile (working copy) > @@ -10,6 +10,7 @@ > BSD.usr.dist \ > BSD.var.dist \ > BSD.x11-4.dist \ > + BSD.opie.dist \ > BSD.x11.dist > > .if ${MK_BIND} != "no" > Index: libexec/lukemftpd/Makefile > =================================================================== > --- libexec/lukemftpd/Makefile (revision 238165) > +++ libexec/lukemftpd/Makefile (working copy) > @@ -1,8 +1,6 @@ > # @(#)Makefile 8.2 (Berkeley) 4/4/94 > # $FreeBSD$ > > -.include <bsd.own.mk> > - > LUKEMFTPD= ${.CURDIR}/../../contrib/lukemftpd > .PATH: ${LUKEMFTPD}/src ${LUKEMFTPD}/libnetbsd > > @@ -14,7 +12,7 @@ > > WFORMAT= 0 > > -.if ${MK_INET6_SUPPORT} != "no" > +.if !defined(NO_INET6) > CFLAGS+= -DINET6 > .endif > > @@ -33,16 +31,22 @@ > DPADD+= ${LIBM} > LDADD+= -lm > > -CFLAGS+= -DUSE_OPIE -DLOGIN_CAP > -DPADD+= ${LIBOPIE} ${LIBMD} > -LDADD+= -lopie -lmd > +CFLAGS+= -DLOGIN_CAP > +DPADD+= ${LIBMD} > +LDADD+= -lmd > > -.if ${MK_PAM_SUPPORT} != "no" > +.if !defined(NO_PAM) > CFLAGS+= -DUSE_PAM > DPADD+= ${LIBPAM} > LDADD+= ${MINUSLPAM} > .endif > > +.if !defined(NO_OPIE) > +CFLAGS+= -DUSE_OPIE > +DPADD+= ${LIBOPIE} > +LDADD+= -lopie > +.endif > + > CLEANFILES+= ls-unmain.c > ls-unmain.c: ls.c > sed -e 's/^main(/ls_main(/g' -e 's,extern.h,${LSDIR}/extern.h,' \ > @@ -58,3 +62,4 @@ > .include <bsd.prog.mk> > > ${OBJS}: ${.CURDIR}/nbsd2fbsd.h > + > Index: libexec/ftpd/Makefile > =================================================================== > --- libexec/ftpd/Makefile (revision 238165) > +++ libexec/ftpd/Makefile (working copy) > @@ -17,8 +17,8 @@ > LDADD= -lutil -lcrypt > > # XXX Kluge! Conversation mechanism needs to be fixed. > -DPADD+= ${LIBOPIE} ${LIBMD} > -LDADD+= -lopie -lmd > +DPADD+= ${LIBMD} > +LDADD+= -lmd > > LSDIR= ../../bin/ls > .PATH: ${.CURDIR}/${LSDIR} > @@ -33,8 +33,14 @@ > > .if ${MK_PAM_SUPPORT} != "no" > CFLAGS+=-DUSE_PAM > -DPADD+= ${LIBPAM} > -LDADD+= ${MINUSLPAM} > +DPADD+= ${LIBPAM} > +LDADD+= ${MINUSLPAM} > .endif > > +.if ${MK_OPIE_SUPPORT} != "no" > +CFLAGS+= -DUSE_OPIE > +DPADD+= ${LIBOPIE} > +LDADD+= -lopie > +.endif > + > .include <bsd.prog.mk> > Index: libexec/ftpd/ftpd.c > =================================================================== > --- libexec/ftpd/ftpd.c (revision 238165) > +++ libexec/ftpd/ftpd.c (working copy) > @@ -79,7 +79,6 @@ > #include <netdb.h> > #include <pwd.h> > #include <grp.h> > -#include <opie.h> > #include <signal.h> > #include <stdint.h> > #include <stdio.h> > @@ -97,6 +96,10 @@ > #include <security/pam_appl.h> > #endif > > +#ifdef USE_OPIE > +#include <opie.h> > +#endif > + > #include "pathnames.h" > #include "extern.h" > > @@ -105,6 +108,9 @@ > static char version[] = "Version 6.00LS"; > #undef main > > +extern off_t restart_point; > +extern char cbuf[]; > + > union sockunion ctrl_addr; > union sockunion data_source; > union sockunion data_dest; > @@ -181,8 +187,11 @@ > pam_handle_t *pamh = NULL; > #endif > > +#ifdef USE_OPIE > static struct opie opiedata; > static char opieprompt[OPIE_CHALLENGE_MAX+1]; > +#endif > + > static int pwok; > > char *pid_file = NULL; /* means default location to pidfile(3) */ > @@ -245,7 +254,7 @@ > static void maskurg(int); > static void flagxfer(int); > static int myoob(void); > -static int checkuser(char *, char *, int, char **); > +static int checkuser(char *, char *, int, char **, int *); > static FILE *dataconn(char *, off_t, char *); > static void dolog(struct sockaddr *); > static void end_login(void); > @@ -998,6 +1007,7 @@ > void > user(char *name) > { > + int ecode; > char *cp, *shell; > > if (logged_in) { > @@ -1018,9 +1028,12 @@ > pw = sgetpwnam("ftp"); > #endif > if (strcmp(name, "ftp") == 0 || strcmp(name, "anonymous") == 0) { > - if (checkuser(_PATH_FTPUSERS, "ftp", 0, NULL) || > - checkuser(_PATH_FTPUSERS, "anonymous", 0, NULL)) > + if (checkuser(_PATH_FTPUSERS, "ftp", 0, NULL, &ecode) || > + (ecode != 0 && ecode != ENOENT)) > reply(530, "User %s access denied.", name); > + else if (checkuser(_PATH_FTPUSERS, "anonymous", 0, NULL, > &ecode) || > + (ecode != 0 && ecode != ENOENT)) > + reply(530, "User %s access denied.", name); > else if (pw != NULL) { > guest = 1; > askpasswd = 1; > @@ -1047,7 +1060,9 @@ > break; > endusershell(); > > - if (cp == NULL || checkuser(_PATH_FTPUSERS, name, 1, NULL)) { > + if (cp == NULL || > + (checkuser(_PATH_FTPUSERS, name, 1, NULL, &ecode) || > + (ecode != 0 && ecode != ENOENT))) { > reply(530, "User %s access denied.", name); > if (logging) > syslog(LOG_NOTICE, > @@ -1064,13 +1079,18 @@ > #ifdef USE_PAM > /* XXX Kluge! The conversation mechanism needs to be fixed. */ > #endif > + > +#ifdef USE_OPIE > if (opiechallenge(&opiedata, name, opieprompt) == 0) { > pwok = (pw != NULL) && > opieaccessfile(remotehost) && > opiealways(pw->pw_dir); > reply(331, "Response to %s %s for %s.", > opieprompt, pwok ? "requested" : "required", name); > - } else { > + } > + else > +#endif > + { > pwok = 1; > reply(331, "Password required for %s.", name); > } > @@ -1089,13 +1109,15 @@ > * of the matching line in "residue" if not NULL. > */ > static int > -checkuser(char *fname, char *name, int pwset, char **residue) > +checkuser(char *fname, char *name, int pwset, char **residue, int *ecode) > { > FILE *fd; > int found = 0; > size_t len; > char *line, *mp, *p; > > + if (ecode != NULL) > + *ecode = 0; > if ((fd = fopen(fname, "r")) != NULL) { > while (!found && (line = fgetln(fd, &len)) != NULL) { > /* skip comments */ > @@ -1164,7 +1186,8 @@ > free(mp); > } > (void) fclose(fd); > - } > + } else if (ecode != NULL) > + *ecode = errno; > return (found); > } > > @@ -1361,7 +1384,7 @@ > void > pass(char *passwd) > { > - int rval; > + int rval, ecode; > FILE *fd; > #ifdef LOGIN_CAP > login_cap_t *lc = NULL; > @@ -1385,13 +1408,18 @@ > #ifdef USE_PAM > rval = auth_pam(&pw, passwd); > if (rval >= 0) { > +#ifdef USE_OPIE > opieunlock(); > +#endif > goto skip; > } > #endif > +#ifdef USE_OPIE > if (opieverify(&opiedata, passwd) == 0) > xpasswd = pw->pw_passwd; > - else if (pwok) { > + else > +#endif > + if (pwok) { > xpasswd = crypt(passwd, pw->pw_passwd); > if (passwd[0] == '\0' && pw->pw_passwd[0] != '\0') > xpasswd = ":"; > @@ -1492,11 +1520,21 @@ > stats = 0; > > dochroot = > - checkuser(_PATH_FTPCHROOT, pw->pw_name, 1, &residue) > + checkuser(_PATH_FTPCHROOT, pw->pw_name, 1, &residue, &ecode) > #ifdef LOGIN_CAP /* Allow login.conf configuration as well */ > || login_getcapbool(lc, "ftp-chroot", 0) > #endif > ; > + /* > + * It is possible that checkuser() failed to open the chroot file. > + * If this is the case, report that logins are un-available, since we > + * have no way of checking whether or not the user should be chrooted. > + * We ignore ENOENT since it is not required that this file be present. > + */ > + if (ecode != 0 && ecode != ENOENT) { > + reply(530, "Login not available right now."); > + return; > + } > chrootdir = NULL; > /* > * For a chrooted local user, > @@ -1543,7 +1581,6 @@ > reply(550, "Can't change root."); > goto bad; > } > - __FreeBSD_libc_enter_restricted_mode(); > } else /* real user w/o chroot */ > homedir = pw->pw_dir; > /* > @@ -1874,12 +1911,20 @@ > #ifdef TCP_NOPUSH > /* > * Turn off push flag to keep sender TCP from sending short packets > - * at the boundaries of each write(). > + * at the boundaries of each write(). Should probably do a SO_SNDBUF > + * to set the send buffer size as well, but that may not be desirable > + * in heavy-load situations. > */ > on = 1; > if (setsockopt(s, IPPROTO_TCP, TCP_NOPUSH, &on, sizeof on) < 0) > syslog(LOG_WARNING, "data setsockopt (TCP_NOPUSH): %m"); > #endif > +#ifdef SO_SNDBUF > + on = 65536; > + if (setsockopt(s, SOL_SOCKET, SO_SNDBUF, &on, sizeof on) < 0) > + syslog(LOG_WARNING, "data setsockopt (SO_SNDBUF): %m"); > +#endif > + > return (fdopen(s, mode)); > bad: > /* Return the real value of errno (close may change it) */ > @@ -3471,3 +3516,4 @@ > } > return(socks); > } > + > > >>Release-Note: >>Audit-Trail: >>Unformatted: > _______________________________________________ > freebsd-bugs@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-bugs > To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org" > _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"
