|
|
c22a38 |
diff -up linux-pam/modules/pam_exec/pam_exec.c.password-limit linux-pam/modules/pam_exec/pam_exec.c
|
|
|
c22a38 |
--- linux-pam/modules/pam_exec/pam_exec.c.password-limit 2014-08-26 14:02:19.000000000 +0200
|
|
|
c22a38 |
+++ linux-pam/modules/pam_exec/pam_exec.c 2015-06-11 16:10:13.938035623 +0200
|
|
|
c22a38 |
@@ -178,11 +178,11 @@ call_exec (const char *pam_type, pam_han
|
|
|
c22a38 |
}
|
|
|
c22a38 |
|
|
|
c22a38 |
pam_set_item (pamh, PAM_AUTHTOK, resp);
|
|
|
c22a38 |
- authtok = strdupa (resp);
|
|
|
c22a38 |
+ authtok = strndupa (resp, PAM_MAX_RESP_SIZE);
|
|
|
c22a38 |
_pam_drop (resp);
|
|
|
c22a38 |
}
|
|
|
c22a38 |
else
|
|
|
c22a38 |
- authtok = void_pass;
|
|
|
c22a38 |
+ authtok = strndupa (void_pass, PAM_MAX_RESP_SIZE);
|
|
|
c22a38 |
|
|
|
c22a38 |
if (pipe(fds) != 0)
|
|
|
c22a38 |
{
|
|
|
c22a38 |
diff -up linux-pam/modules/pam_exec/pam_exec.8.xml.password-limit linux-pam/modules/pam_exec/pam_exec.8.xml
|
|
|
c22a38 |
--- linux-pam/modules/pam_exec/pam_exec.8.xml.password-limit 2013-09-11 13:59:00.072175034 +0200
|
|
|
c22a38 |
+++ linux-pam/modules/pam_exec/pam_exec.8.xml 2015-06-11 16:09:06.446512718 +0200
|
|
|
c22a38 |
@@ -106,7 +106,8 @@
|
|
|
c22a38 |
During authentication the calling command can read
|
|
|
c22a38 |
the password from <citerefentry>
|
|
|
c22a38 |
<refentrytitle>stdin</refentrytitle><manvolnum>3</manvolnum>
|
|
|
c22a38 |
- </citerefentry>.
|
|
|
c22a38 |
+ </citerefentry>. Only first <emphasis>PAM_MAX_RESP_SIZE</emphasis>
|
|
|
c22a38 |
+ bytes of a password are provided to the command.
|
|
|
c22a38 |
</para>
|
|
|
c22a38 |
</listitem>
|
|
|
c22a38 |
</varlistentry>
|
|
|
c22a38 |
diff -up linux-pam/modules/pam_unix/pam_unix_passwd.c.password-limit linux-pam/modules/pam_unix/pam_unix_passwd.c
|
|
|
c22a38 |
--- linux-pam/modules/pam_unix/pam_unix_passwd.c.password-limit 2014-06-19 13:50:08.000000000 +0200
|
|
|
c22a38 |
+++ linux-pam/modules/pam_unix/pam_unix_passwd.c 2015-06-11 16:34:02.226260435 +0200
|
|
|
c22a38 |
@@ -240,15 +240,22 @@ static int _unix_run_update_binary(pam_h
|
|
|
c22a38 |
/* wait for child */
|
|
|
c22a38 |
/* if the stored password is NULL */
|
|
|
c22a38 |
int rc=0;
|
|
|
c22a38 |
- if (fromwhat)
|
|
|
c22a38 |
- pam_modutil_write(fds[1], fromwhat, strlen(fromwhat)+1);
|
|
|
c22a38 |
- else
|
|
|
c22a38 |
- pam_modutil_write(fds[1], "", 1);
|
|
|
c22a38 |
- if (towhat) {
|
|
|
c22a38 |
- pam_modutil_write(fds[1], towhat, strlen(towhat)+1);
|
|
|
c22a38 |
+ if (fromwhat) {
|
|
|
c22a38 |
+ int len = strlen(fromwhat);
|
|
|
c22a38 |
+
|
|
|
c22a38 |
+ if (len > PAM_MAX_RESP_SIZE)
|
|
|
c22a38 |
+ len = PAM_MAX_RESP_SIZE;
|
|
|
c22a38 |
+ pam_modutil_write(fds[1], fromwhat, len);
|
|
|
c22a38 |
}
|
|
|
c22a38 |
- else
|
|
|
c22a38 |
- pam_modutil_write(fds[1], "", 1);
|
|
|
c22a38 |
+ pam_modutil_write(fds[1], "", 1);
|
|
|
c22a38 |
+ if (towhat) {
|
|
|
c22a38 |
+ int len = strlen(towhat);
|
|
|
c22a38 |
+
|
|
|
c22a38 |
+ if (len > PAM_MAX_RESP_SIZE)
|
|
|
c22a38 |
+ len = PAM_MAX_RESP_SIZE;
|
|
|
c22a38 |
+ pam_modutil_write(fds[1], towhat, len);
|
|
|
c22a38 |
+ }
|
|
|
c22a38 |
+ pam_modutil_write(fds[1], "", 1);
|
|
|
c22a38 |
|
|
|
c22a38 |
close(fds[0]); /* close here to avoid possible SIGPIPE above */
|
|
|
c22a38 |
close(fds[1]);
|
|
|
c22a38 |
diff -up linux-pam/modules/pam_unix/pam_unix.8.xml.password-limit linux-pam/modules/pam_unix/pam_unix.8.xml
|
|
|
c22a38 |
--- linux-pam/modules/pam_unix/pam_unix.8.xml.password-limit 2015-06-11 15:46:55.000000000 +0200
|
|
|
c22a38 |
+++ linux-pam/modules/pam_unix/pam_unix.8.xml 2015-06-11 16:38:42.628587102 +0200
|
|
|
c22a38 |
@@ -80,6 +80,13 @@
|
|
|
c22a38 |
</para>
|
|
|
c22a38 |
|
|
|
c22a38 |
<para>
|
|
|
c22a38 |
+ The maximum length of a password supported by the pam_unix module
|
|
|
c22a38 |
+ via the helper binary is <emphasis>PAM_MAX_RESP_SIZE</emphasis>
|
|
|
c22a38 |
+ - currently 512 bytes. The rest of the password provided by the
|
|
|
c22a38 |
+ conversation function to the module will be ignored.
|
|
|
c22a38 |
+ </para>
|
|
|
c22a38 |
+
|
|
|
c22a38 |
+ <para>
|
|
|
c22a38 |
The password component of this module performs the task of updating
|
|
|
c22a38 |
the user's password. The default encryption hash is taken from the
|
|
|
c22a38 |
<emphasis remap='B'>ENCRYPT_METHOD</emphasis> variable from
|
|
|
c22a38 |
diff -up linux-pam/modules/pam_unix/passverify.c.password-limit linux-pam/modules/pam_unix/passverify.c
|
|
|
c22a38 |
--- linux-pam/modules/pam_unix/passverify.c.password-limit 2015-04-07 10:23:50.000000000 +0200
|
|
|
c22a38 |
+++ linux-pam/modules/pam_unix/passverify.c 2015-06-15 10:53:32.903900010 +0200
|
|
|
c22a38 |
@@ -1115,12 +1115,15 @@ getuidname(uid_t uid)
|
|
|
c22a38 |
int
|
|
|
c22a38 |
read_passwords(int fd, int npass, char **passwords)
|
|
|
c22a38 |
{
|
|
|
c22a38 |
+ /* The passwords array must contain npass preallocated
|
|
|
c22a38 |
+ * buffers of length MAXPASS + 1
|
|
|
c22a38 |
+ */
|
|
|
c22a38 |
int rbytes = 0;
|
|
|
c22a38 |
int offset = 0;
|
|
|
c22a38 |
int i = 0;
|
|
|
c22a38 |
char *pptr;
|
|
|
c22a38 |
while (npass > 0) {
|
|
|
c22a38 |
- rbytes = read(fd, passwords[i]+offset, MAXPASS-offset);
|
|
|
c22a38 |
+ rbytes = read(fd, passwords[i]+offset, MAXPASS+1-offset);
|
|
|
c22a38 |
|
|
|
c22a38 |
if (rbytes < 0) {
|
|
|
c22a38 |
if (errno == EINTR) continue;
|
|
|
c22a38 |
diff -up linux-pam/modules/pam_unix/passverify.h.password-limit linux-pam/modules/pam_unix/passverify.h
|
|
|
c22a38 |
--- linux-pam/modules/pam_unix/passverify.h.password-limit 2011-03-21 21:59:22.000000000 +0100
|
|
|
c22a38 |
+++ linux-pam/modules/pam_unix/passverify.h 2015-06-11 16:26:27.184994387 +0200
|
|
|
c22a38 |
@@ -8,7 +8,7 @@
|
|
|
c22a38 |
|
|
|
c22a38 |
#define PAM_UNIX_RUN_HELPER PAM_CRED_INSUFFICIENT
|
|
|
c22a38 |
|
|
|
c22a38 |
-#define MAXPASS 200 /* the maximum length of a password */
|
|
|
c22a38 |
+#define MAXPASS PAM_MAX_RESP_SIZE /* the maximum length of a password */
|
|
|
c22a38 |
|
|
|
c22a38 |
#define OLD_PASSWORDS_FILE "/etc/security/opasswd"
|
|
|
c22a38 |
|
|
|
c22a38 |
diff -up linux-pam/modules/pam_unix/support.c.password-limit linux-pam/modules/pam_unix/support.c
|
|
|
c22a38 |
--- linux-pam/modules/pam_unix/support.c.password-limit 2014-01-27 18:08:28.000000000 +0100
|
|
|
c22a38 |
+++ linux-pam/modules/pam_unix/support.c 2015-06-11 16:30:35.452595477 +0200
|
|
|
c22a38 |
@@ -609,7 +609,12 @@ static int _unix_run_helper_binary(pam_h
|
|
|
c22a38 |
/* if the stored password is NULL */
|
|
|
c22a38 |
int rc=0;
|
|
|
c22a38 |
if (passwd != NULL) { /* send the password to the child */
|
|
|
c22a38 |
- if (write(fds[1], passwd, strlen(passwd)+1) == -1) {
|
|
|
c22a38 |
+ int len = strlen(passwd);
|
|
|
c22a38 |
+
|
|
|
c22a38 |
+ if (len > PAM_MAX_RESP_SIZE)
|
|
|
c22a38 |
+ len = PAM_MAX_RESP_SIZE;
|
|
|
c22a38 |
+ if (write(fds[1], passwd, len) == -1 ||
|
|
|
c22a38 |
+ write(fds[1], "", 1) == -1) {
|
|
|
c22a38 |
pam_syslog (pamh, LOG_ERR, "Cannot send password to helper: %m");
|
|
|
c22a38 |
retval = PAM_AUTH_ERR;
|
|
|
c22a38 |
}
|