Page MenuHomeFreeBSD
Differential D34321

Add a suid root helper for pam_unix
AbandonedPublic
Actions

Authored by zirias on Feb 19 2022, 9:51 AM.
Tags
None
Referenced Files
Unknown Object (File)
Dec 7 2024, 2:52 AM
Unknown Object (File)
Dec 2 2024, 12:01 AM
Unknown Object (File)
Dec 2 2024, 12:00 AM
Unknown Object (File)
Dec 2 2024, 12:00 AM
Unknown Object (File)
Dec 1 2024, 11:36 PM
Unknown Object (File)
Oct 4 2024, 10:59 AM
Unknown Object (File)
Oct 2 2024, 1:07 AM
Unknown Object (File)
Oct 1 2024, 9:58 PM
View All 40 Files
Subscribers
cy
imp
Contributor Reviews (src)

Details

Reviewers
des
cy
Summary

pam_unix needs to read the system's password database for
authentication. This requires the calling process to run with root
privileges.

Software authenticating with PAM therefore often uses own suid-root
helpers doing the whole authentication conversation privileged.

A helper for pam_unix can simplify this and reduce the code that must
run privileged, at least for the most common use case of authenticating
as self (needed for example by screen lockers). This helper drops
privileges directly after obtaining the password hash from the database.

Test Plan

As user_a, with both user_a and user_b being normal, unprivileged users:

$ echo <user_a_password> | /usr/libexec/pam_unix-helper user_a && echo ok should print ok
$ echo <random_password> | /usr/libexec/pam_unix-helper user_a && echo ok should print nothing
$ echo <user_b_password> | /usr/libexec/pam_unix-helper user_b && echo ok should print nothing

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 44511
Build 41399: arc lint + arc unit

Event Timeline

zirias created this revision.Feb 19 2022, 9:51 AM
Herald added subscribers: Contributor Reviews (src), imp. · View Herald TranscriptFeb 19 2022, 9:51 AM
zirias requested review of this revision.Feb 19 2022, 9:51 AM
zirias added a parent revision: D34320: pam_unix: Remove bogus __unused attribute.
zirias added a child revision: D34322: pam_unix: Use suid root helper to authenticate.
Harbormaster completed remote builds in B44508: Diff 102965.Feb 19 2022, 9:51 AM
zirias changed the repository for this revision from rS FreeBSD src repository - subversion to rG FreeBSD src repository.Feb 19 2022, 1:09 PM
zirias updated this revision to Diff 102982.Feb 20 2022, 8:36 AM

Only authenticate as self

Thanks to Darius on IRC for pointing out this helper could be abused for
automated password guessing.

I changed it now to only allow verifying your *own* password. Although
this doesn't cover all use cases any more, authenticating as self is
probably the most common one (needed for example by screen lockers), so
I think it's still useful.

Harbormaster completed remote builds in B44511: Diff 102982.Feb 20 2022, 8:36 AM
zirias edited the summary of this revision. (Show Details)Feb 21 2022, 3:41 PM
zirias edited the test plan for this revision. (Show Details)
zirias added a reviewer: des.
des added a comment.Feb 24 2022, 3:34 PM

No.

cy requested changes to this revision.May 2 2022, 6:01 PM
cy added a subscriber: cy.

Agreed. No.

This revision now requires changes to proceed.May 2 2022, 6:01 PM
zirias abandoned this revision.Sep 5 2022, 6:25 PM

Abandoned in favor of new port security/unix-selfauth-helper doing the same thing with pam_exec.

Revision Contents
Changeset List

PathSize
libexec/
1 line
pam_unix-helper/
13 lines
117 lines

Diff 102982

View Options

libexec/Makefile

Loading...
View Options

libexec/pam_unix-helper/Makefile

Loading...
View Options

libexec/pam_unix-helper/pam_unix-helper.c

Loading...