Details

Reviewers

des
khng

Commits

rG26db194f3db1: pam_exec: fix segfault when authtok is null
rG277c0c4d2512: pam_exec: fix segfault when authtok is null
rGea80848e1c06: pam_exec: fix segfault when authtok is null
rGb75e0eed345d: pam_exec: fix segfault when authtok is null

Summary

According to pam_exec(8), the expose_authtok option should be ignored when
the service function is pam_sm_setcred. Currently pam_exec only prevent
prompt for anth token when expose_authtok is set on pam_sm_setcred. This
subsequently led to segfault when there isn't an existing auth token available.

Bug reported on this: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=263893

After reading https://reviews.freebsd.org/rS349556 I am not sure if the default
behaviour supposed to be simply not prompt for authentication token, or is it
to ignore the option entirely as stated in the man page.

This patch is therefore only adding an additional NULL check on the item
pam_get_item provide, and exit with PAM_SYSTEM_ERR when such item is NULL.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

nyan_myuji.xyz created this revision.May 10 2022, 6:30 PM

Herald added subscribers: Contributor Reviews (src), imp. · View Herald TranscriptMay 10 2022, 6:30 PM

nyan_myuji.xyz requested review of this revision.May 10 2022, 6:30 PM

Harbormaster completed remote builds in B45519: Diff 105820.May 10 2022, 6:30 PM

nyan_myuji.xyz added a reviewer: des.May 10 2022, 6:32 PM

zirias added a subscriber: zirias.May 10 2022, 7:23 PM

also check rc

check value of rc to only catch the cases when item is null but rc is success

Harbormaster completed remote builds in B45521: Diff 105822.May 10 2022, 7:42 PM

Fix the submitted diff

Harbormaster completed remote builds in B45537: Diff 105884.May 12 2022, 8:51 AM

Is it ever expected there *is* an authtok available when setcred is called? If not, wouldn't this still fail (and just avoid the crash)?

In D35169#798299, @felix_palmen-it.de wrote:

Is it ever expected there *is* an authtok available when setcred is called?

Yes, if an earlier module (e.g. passwdqc) already prompted for a new password. And the old one will be in PAM_OLD_AUTHTOK if memory serves.

So, does this patch look fine?

Cause if so, I'd apply it locally, so I can move forward writing/testing a "unix selfauth" helper for use with pam_exec :)

des requested changes to this revision.May 16 2022, 1:43 PM

des added inline comments.

lib/libpam/modules/pam_exec/pam_exec.c
267
269–271	There's no harm in setting `authtok` to `NULL`, so you can just leave the assignment outside the `if`.

This revision now requires changes to proceed.May 16 2022, 1:43 PM

Rephrase error message and formatting

Harbormaster completed remote builds in B45592: Diff 106069.May 16 2022, 3:23 PM

@des updated

Hang on, I think the change I requested may have been incorrect...

Ah, sorry, I forgot that OUT() is a macro that wraps return, so everything is fine.

lib/libpam/modules/pam_exec/pam_exec.c
264	extraneous blank line

This revision is now accepted and ready to land.May 16 2022, 4:07 PM

Rephrase error message and formatting
Removed blank line

This revision now requires review to proceed.May 16 2022, 5:09 PM

Harbormaster completed remote builds in B45593: Diff 106075.May 16 2022, 5:09 PM

des accepted this revision.May 16 2022, 5:10 PM

This revision is now accepted and ready to land.May 16 2022, 5:10 PM

zirias mentioned this in D34322: pam_unix: Use suid root helper to authenticate.May 17 2022, 12:09 PM

cy added a subscriber: cy.May 17 2022, 2:23 PM

Would someone mind to commit this, please? It enables correct operation of a suid-root helper that will probably be necessary to support newer versions of xscreensaver.
I also wonder whether this might warrant an EN for the next round of patches?