When PAM support was added to rexecd in revision 1.29 (just prior to
5.0-RELEASE), a visually elusive bug was introduced. A comparison operator was changed to assignment. As a result, rexecd behaved always as if the `-i' option had been specified. It would allow root logins. This commit corrects the situation in the obvious way. A separate bug was introduced at the same time. The PAM library functions are called between the invocation of getpwnam(3) and the use of the returned static object. Since many PAM library functions result in additional getpwnam(3) calls, the contents of the returned static object could be changed from under rexecd. With this commit, getpwnam_r(3) is used instead. Other PAM-using applications should be reviewed for similar errors in getpw* usage. Security: rexecd's documented default policy of disallowing root logins was not enforced. Reviewed by: cperciva
This commit is contained in:
parent
8acd37ef20
commit
0fcbbd7bea
@ -135,7 +135,9 @@ doit(struct sockaddr *fromp)
|
||||
char *cmdbuf, *cp;
|
||||
int maxcmdlen;
|
||||
char user[16], pass[16];
|
||||
struct passwd *pwd;
|
||||
struct passwd *pwd, pwd_storage;
|
||||
char *pwdbuf;
|
||||
int pwdbuflen;
|
||||
int fd, r, sd;
|
||||
u_short port;
|
||||
int pv[2], pid, cc, nfds;
|
||||
@ -190,7 +192,20 @@ doit(struct sockaddr *fromp)
|
||||
getstr(cmdbuf, maxcmdlen, "command");
|
||||
(void) alarm(0);
|
||||
|
||||
if ((pwd = getpwnam(user)) == NULL || (pwd->pw_uid = 0 && no_uid_0) ||
|
||||
pwdbuflen = BUFSIZ;
|
||||
pwdbuf = NULL;
|
||||
pwd = NULL;
|
||||
r = ERANGE;
|
||||
while (pwd == NULL && r == ERANGE) {
|
||||
pwdbuflen <<= 1;
|
||||
if ((pwdbuf = reallocf(pwdbuf, pwdbuflen)) == NULL) {
|
||||
syslog(LOG_ERR, "Cannot allocate memory");
|
||||
error("Cannot allocate memory.\n");
|
||||
exit(1);
|
||||
}
|
||||
r = getpwnam_r(user, &pwd_storage, pwdbuf, pwdbuflen, &pwd);
|
||||
}
|
||||
if (pwd == NULL || (pwd->pw_uid == 0 && no_uid_0) ||
|
||||
!pam_ok(pam_start("rexecd", user, &pamc, &pamh)) ||
|
||||
!pam_ok(pam_set_item(pamh, PAM_RHOST, remote)) ||
|
||||
!pam_ok(pam_set_item(pamh, PAM_AUTHTOK, pass)) ||
|
||||
|
Loading…
Reference in New Issue
Block a user