[SCM] pam wrapper repository - branch master updated
Andreas Schneider
asn at samba.org
Thu Jan 14 06:21:58 UTC 2016
The branch, master has been updated
via 746496c Initial release of pam_wrapper 1.0.0
via 2f13c69 pam_matrix: Call umask before mkstemp()
via 8909db9 pwrap: Make sure pam_library is null-terminated
via 8eba2fe libpamtest: Make sure ri is not used uninitialized
from 5d4184d pwrap: Wrap audit_open() to fix sshd
https://git.samba.org/?p=pam_wrapper.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 746496c5f3919c3da532cdcc0b4a2439a437ed4b
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jan 13 09:42:09 2016 +0100
Initial release of pam_wrapper 1.0.0
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 2f13c698b304cde08841b7ef39cec6375b6a9887
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jan 13 10:57:44 2016 +0100
pam_matrix: Call umask before mkstemp()
Without calling umask() we create and use insecure temporary files that
can leave application and system data vulnerable to attack. Unlikely in
a module created for testing, but better fix it.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 8909db9fdea8a4740bb3939b25d8fd9b727ddbd3
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jan 13 10:54:36 2016 +0100
pwrap: Make sure pam_library is null-terminated
We initialize the array with 0. So do not pass the full size of the
array to make sure the last byte is a null byte.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 8eba2fe5ccb4e9e1637b831f7b342bcb95b3541a
Author: Andreas Schneider <asn at samba.org>
Date: Wed Jan 13 10:50:05 2016 +0100
libpamtest: Make sure ri is not used uninitialized
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 8 +++++++-
src/libpamtest.c | 3 +--
src/modules/pam_matrix.c | 5 +++++
src/pam_wrapper.c | 2 +-
4 files changed, 14 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/ChangeLog b/ChangeLog
index 329efc7..869aaa3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,11 @@
ChangeLog
==========
-version 1.0.0 (released 2015-xx-xx)
+version 1.0.0 (released 2016-01-14)
* Initial release
+ - pam_wrapper
+ - libpamtest
+ - pypamtest
+ - pam_matrix
+ - pam_get_items
+ - pam_set_items
diff --git a/src/libpamtest.c b/src/libpamtest.c
index f99c2c7..c6d5b89 100644
--- a/src/libpamtest.c
+++ b/src/libpamtest.c
@@ -210,7 +210,7 @@ static int pamtest_simple_conv(int num_msg,
struct pam_response **response,
void *appdata_ptr)
{
- int i, ri;
+ int i, ri = 0;
int ret;
struct pam_response *reply = NULL;
const char *prompt;
@@ -227,7 +227,6 @@ static int pamtest_simple_conv(int num_msg,
if (reply == NULL) {
return PAM_CONV_ERR;
}
- ri = 0;
}
for (i=0; i < num_msg; i++) {
diff --git a/src/modules/pam_matrix.c b/src/modules/pam_matrix.c
index 89fdd56..bf5c60a 100644
--- a/src/modules/pam_matrix.c
+++ b/src/modules/pam_matrix.c
@@ -19,6 +19,8 @@
#include "config.h"
#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/stat.h>
#include <pwd.h>
#include <stdlib.h>
@@ -195,6 +197,7 @@ static int pam_matrix_lib_items_put(const char *db,
struct pam_lib_items *pli)
{
int rv;
+ mode_t old_mask;
FILE *fp = NULL;
FILE *fp_tmp = NULL;
char buf[BUFSIZ];
@@ -211,7 +214,9 @@ static int pam_matrix_lib_items_put(const char *db,
}
/* We don't support concurrent runs.. */
+ old_mask = umask(0);
rv = mkstemp(template);
+ umask(old_mask);
if (rv <= 0) {
rv = PAM_BUF_ERR;
goto done;
diff --git a/src/pam_wrapper.c b/src/pam_wrapper.c
index 9b27bc3..0c451d1 100644
--- a/src/pam_wrapper.c
+++ b/src/pam_wrapper.c
@@ -879,7 +879,7 @@ static void pwrap_init(void)
"PAM path: %s",
libpam_path);
- ret = readlink(libpam_path, pam_library, sizeof(pam_library));
+ ret = readlink(libpam_path, pam_library, sizeof(pam_library) - 1);
PWRAP_LOG(PWRAP_LOG_TRACE,
"PAM library: %s",
pam_library);
--
pam wrapper repository
More information about the samba-cvs
mailing list