Bug#537848: libpam-modules: pam_securetty should not reject invalid users on secure ttys

Thu, 23 Jul 2009 09:37:20 -0700 

tags 537848 patch
thanks

On Thu, Jul 23, 2009 at 12:41:05PM +0200, vor...@debian.org wrote:
> 
> On Tue, Jul 21, 2009 at 12:52:53PM +0200, Nicolas FRANCOIS (Nekral) wrote:
> > pam_securetty currently first checks if the user is valid and then checks
> > if the tty is secure.
> 
> > pam_securetty should only avoid root's login on insecure tty.
> > pam_securetty can consider invalid users as possibly mis-typed root users,
> > but those invalid users should not be rejected (by pam_securetty) on
> > secure ttys.
> 
> > This was triggered by the discussion on http://bugs.debian.org/531341
> 
> I agree, the module should not enforce username checks on secure ttys.  Any
> chance you could provide a patch for this?  If not, I'll put it in my queue.

Here is a patch.

Cheers,
-- 
Nekral

Index: sid/modules/pam_securetty/pam_securetty.8.xml
===================================================================
--- sid.orig/modules/pam_securetty/pam_securetty.8.xml  2009-07-23 
17:39:39.624159812 +0200
+++ sid/modules/pam_securetty/pam_securetty.8.xml       2009-07-23 
17:40:05.924151717 +0200
@@ -116,7 +116,7 @@
         </listitem>
       </varlistentry>
       <varlistentry>
-        <term>PAM_IGNORE</term>
+        <term>PAM_USER_UNKNOWN</term>
         <listitem>
           <para>
             The module could not find the user name in the
Index: sid/modules/pam_securetty/pam_securetty.c
===================================================================
--- sid.orig/modules/pam_securetty/pam_securetty.c      2009-07-23 
17:39:36.904158303 +0200
+++ sid/modules/pam_securetty/pam_securetty.c   2009-07-23 17:48:55.596157670 
+0200
@@ -82,13 +82,11 @@
     }
 
     user_pwd = pam_modutil_getpwnam(pamh, username);
-    if (user_pwd == NULL) {
-       return PAM_USER_UNKNOWN;
-    } else if (user_pwd->pw_uid != 0) { /* If the user is not root,
-                                          securetty's does not apply
-                                          to them */
+    if (user_pwd != NULL && user_pwd->pw_uid != 0) {
+       /* If the user is not root, securetty's does not apply to them */
        return PAM_SUCCESS;
     }
+    /* The user is now either root or an invalid / mistyped username */
 
     retval = pam_get_item(pamh, PAM_TTY, &void_uttyname);
     uttyname = void_uttyname;
@@ -98,10 +96,13 @@
     }
 
     retval = _pammodutil_tty_secure(pamh, uttyname);
-    if ((retval == PAM_SUCCESS) && (ctrl & PAM_DEBUG_ARG)) {
+    if ((user_pwd != NULL) && (retval == PAM_SUCCESS) && (ctrl & 
PAM_DEBUG_ARG)) {
        pam_syslog(pamh, LOG_DEBUG, "access allowed for '%s' on '%s'",
                   username, uttyname);
     } else if (retval != PAM_SUCCESS) {
+       if (user_pwd == NULL) {
+           retval = PAM_USER_UNKNOWN;
+       }
        pam_syslog(pamh, LOG_WARNING, "access denied: tty '%s' is not secure !",
                   uttyname);
     }

Reply via email to