[pkgsrc/trunk]: pkgsrc/security/pam-pwauth_suid -make this work with the open...

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/security/pam-pwauth_suid -make this work with the open...
From: drochner <drochner%pkgsrc.org@localhost>
Date: Thu, 14 Oct 2021 06:21:33 +0000
details:   https://anonhg.NetBSD.org/pkgsrc/rev/0a9a410355a7
branches:  trunk
changeset: 544677:0a9a410355a7
user:      drochner <drochner%pkgsrc.org@localhost>
date:      Thu Jul 17 18:00:58 2008 +0000

description:
-make this work with the openpam version in -current
 (I didn't try whether it still works on 4.0. Would be nice if
  someone did it.)
-supply an example pam.conf file
-slow down to avoid abuse, better cleanup in error cases, more paranoia
thanks to Joerg for suggestions

diffstat:

 security/pam-pwauth_suid/MESSAGE                    |   6 ++--
 security/pam-pwauth_suid/Makefile                   |  17 +++++++++------
 security/pam-pwauth_suid/PLIST                      |   6 +++-
 security/pam-pwauth_suid/files/pam_pwauth_suid.c    |  22 ++++++++++++++++++--
 security/pam-pwauth_suid/files/pwauth_suid_helper.c |   9 +++++--
 security/pam-pwauth_suid/files/xscreensaver         |   2 +
 6 files changed, 44 insertions(+), 18 deletions(-)

diffs (170 lines):

diff -r 42479ce38dbc -r 0a9a410355a7 security/pam-pwauth_suid/MESSAGE
--- a/security/pam-pwauth_suid/MESSAGE  Thu Jul 17 17:10:18 2008 +0000
+++ b/security/pam-pwauth_suid/MESSAGE  Thu Jul 17 18:00:58 2008 +0000
@@ -1,6 +1,6 @@
 ===========================================================================
-$NetBSD: MESSAGE,v 1.1.1.1 2007/01/08 18:39:44 drochner Exp $
+$NetBSD: MESSAGE,v 1.2 2008/07/17 18:00:58 drochner Exp $
 
-The PAM authentication module "pam_pwauth_suid.so.0" needs to be
-installed into the directory "/usr/lib/security".
+A sample pam.d file for xscreensaver can be found in
+${PREFIX}/share/examples/pam-pwauth_suid
 ===========================================================================
diff -r 42479ce38dbc -r 0a9a410355a7 security/pam-pwauth_suid/Makefile
--- a/security/pam-pwauth_suid/Makefile Thu Jul 17 17:10:18 2008 +0000
+++ b/security/pam-pwauth_suid/Makefile Thu Jul 17 18:00:58 2008 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.4 2008/06/25 18:17:33 drochner Exp $
+# $NetBSD: Makefile,v 1.5 2008/07/17 18:00:58 drochner Exp $
 
-DISTNAME=      pam-pwauth_suid-1.1
+DISTNAME=      pam-pwauth_suid-1.2
 CATEGORIES=    security
 DISTFILES=     # empty
 
@@ -10,11 +10,12 @@
 NO_CHECKSUM=   yes
 WRKSRC=                ${WRKDIR}
 
-HLPDEF+= -DPATH_HELPER=\"${PREFIX}/libexec/pwauth_suid_helper\"
+PAMDEF+= -DPATH_HELPER=\"${PREFIX}/libexec/pwauth_suid_helper\"
+PAMDEF+= -DNO_STATIC_MODULES
 
 PKG_DESTDIR_SUPPORT=   user-destdir
 
-INSTALLATION_DIRS=     lib/security libexec
+INSTALLATION_DIRS=     lib/security libexec share/examples/pam-pwauth_suid
 
 do-extract:
        ${CP} ${FILESDIR}/pam_pwauth_suid.c ${FILESDIR}/pwauth_suid_helper.c \
@@ -22,18 +23,20 @@
 
 do-build:
        (cd ${WRKSRC} && \
-        ${CC} ${CFLAGS} -c -fPIC ${HLPDEF} pam_pwauth_suid.c && \
-        ${LD} -shared pam_pwauth_suid.o -o pam_pwauth_suid.so.0 && \
+        ${CC} ${CFLAGS} -c -fPIC ${PAMDEF} pam_pwauth_suid.c && \
+        ${LD} -shared pam_pwauth_suid.o -o pam_pwauth_suid.so && \
         ${CC} ${CFLAGS} pwauth_suid_helper.c -o pwauth_suid_helper -lcrypt)
 
 do-install:
        ${INSTALL_DATA_DIR} ${DESTDIR}${PREFIX}/lib/security
-       ${INSTALL_DATA} ${WRKSRC}/pam_pwauth_suid.so.0 \
+       ${INSTALL_DATA} ${WRKSRC}/pam_pwauth_suid.so \
                ${DESTDIR}${PREFIX}/lib/security
        ${INSTALL_PROGRAM_DIR} ${DESTDIR}${PREFIX}/libexec
        ${INSTALL_PROGRAM} ${WRKSRC}/pwauth_suid_helper \
                ${DESTDIR}${PREFIX}/libexec
        ${CHMOD} 04555 ${DESTDIR}${PREFIX}/libexec/pwauth_suid_helper
+       sed -e 's|@PREFIX@|${PREFIX}|g' ${FILESDIR}/xscreensaver > \
+               ${DESTDIR}${PREFIX}/share/examples/pam-pwauth_suid/xscreensaver
 
 .include "../../mk/pam.buildlink3.mk"
 .include "../../mk/bsd.pkg.mk"
diff -r 42479ce38dbc -r 0a9a410355a7 security/pam-pwauth_suid/PLIST
--- a/security/pam-pwauth_suid/PLIST    Thu Jul 17 17:10:18 2008 +0000
+++ b/security/pam-pwauth_suid/PLIST    Thu Jul 17 18:00:58 2008 +0000
@@ -1,3 +1,5 @@
-@comment $NetBSD: PLIST,v 1.1.1.1 2007/01/08 18:39:44 drochner Exp $
-lib/security/pam_pwauth_suid.so.0
+@comment $NetBSD: PLIST,v 1.2 2008/07/17 18:00:58 drochner Exp $
+lib/security/pam_pwauth_suid.so
 libexec/pwauth_suid_helper
+share/examples/pam-pwauth_suid/xscreensaver
+@dirrm share/examples/pam-pwauth_suid
diff -r 42479ce38dbc -r 0a9a410355a7 security/pam-pwauth_suid/files/pam_pwauth_suid.c
--- a/security/pam-pwauth_suid/files/pam_pwauth_suid.c  Thu Jul 17 17:10:18 2008 +0000
+++ b/security/pam-pwauth_suid/files/pam_pwauth_suid.c  Thu Jul 17 18:00:58 2008 +0000
@@ -1,6 +1,7 @@
-/* $NetBSD: pam_pwauth_suid.c,v 1.2 2007/09/05 20:29:05 drochner Exp $ */
+/* $NetBSD: pam_pwauth_suid.c,v 1.3 2008/07/17 18:00:58 drochner Exp $ */
 
 #include <sys/types.h>
+#define PAM_SM_AUTH
 #include <security/pam_appl.h>
 #include <security/pam_modules.h>
 
@@ -26,8 +27,10 @@
        /* make sure only we get the exit status of the helper */
        sigemptyset(&chldsig);
        sigaddset(&chldsig, SIGCHLD);
-       if (sigprocmask(SIG_BLOCK, &chldsig, &omask) < 0)
-               return errno;
+       if (sigprocmask(SIG_BLOCK, &chldsig, &omask) < 0) {
+               err = errno;
+               goto error2;
+       }
 
        pid = vfork();
        switch (pid) {
@@ -42,6 +45,7 @@
                        _exit(errno);
                default: /* parent */
                        (void)close(fd[0]);
+                       fd[0] = -1;
                        break;
        }
 
@@ -65,6 +69,10 @@
 
 error:
        sigprocmask(SIG_SETMASK, &omask, 0);
+error2:
+       if (fd[0] != -1)
+               (void)close(fd[0]);
+       (void)close(fd[1]);
        return err;
 }
 
@@ -88,4 +96,12 @@
        return PAM_SUCCESS;
 }
 
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh, int flags,
+              int argc, const char **argv)
+{
+
+       return PAM_SUCCESS;
+}
+
 PAM_MODULE_ENTRY("pam_passwdhelper");
diff -r 42479ce38dbc -r 0a9a410355a7 security/pam-pwauth_suid/files/pwauth_suid_helper.c
--- a/security/pam-pwauth_suid/files/pwauth_suid_helper.c       Thu Jul 17 17:10:18 2008 +0000
+++ b/security/pam-pwauth_suid/files/pwauth_suid_helper.c       Thu Jul 17 18:00:58 2008 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: pwauth_suid_helper.c,v 1.1.1.1 2007/01/08 18:39:44 drochner Exp $ */
+/* $NetBSD: pwauth_suid_helper.c,v 1.2 2008/07/17 18:00:58 drochner Exp $ */
 
 #include <pwd.h>
 #include <string.h>
@@ -36,6 +36,7 @@
        if (buflen == 0)
                return (ENOMEM);
        /* pwbuf is \0-terminated here b/c pwbuf is in bss */
+       pwbuf[sizeof(pwbuf) - 1] = '\0'; /* be paranoid */
 
        /*
         * Use username as key rather than uid so that it will not
@@ -49,10 +50,12 @@
 
        /*
         * Forcibly eat up some wall time to prevent use of this program
-        * to brute-force? For now assume that process startup time etc.
-        * make it already ineffective.
+        * to brute-force.
         */
+       usleep(100000);
+
        pwhash = crypt(pwbuf, pwent->pw_passwd);
+       memset(pwbuf, 0, sizeof(pwbuf));
        if (pwhash && strcmp(pwhash, pwent->pw_passwd) == 0)
                return (0);
 
diff -r 42479ce38dbc -r 0a9a410355a7 security/pam-pwauth_suid/files/xscreensaver
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/security/pam-pwauth_suid/files/xscreensaver       Thu Jul 17 18:00:58 2008 +0000
@@ -0,0 +1,2 @@
+# $NetBSD: xscreensaver,v 1.1 2008/07/17 18:00:58 drochner Exp $
+auth   required        @PREFIX@/lib/security/pam_pwauth_suid.so
Prev by Date: [pkgsrc/trunk]: pkgsrc/security/p5-Digest-SHA Updated to version 5.45.
Next by Date: [pkgsrc/trunk]: pkgsrc/doc Updated
Previous by Thread: [pkgsrc/trunk]: pkgsrc/security/p5-Digest-SHA Updated to version 5.45.
Next by Thread: [pkgsrc/trunk]: pkgsrc/doc Updated
Indexes:
Home | Main Index | Thread Index | Old Index