|
|
e0a759 |
From 370064ef6f99581b08d473a42bb3417d5dda3e4e Mon Sep 17 00:00:00 2001
|
|
|
e0a759 |
From: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
e0a759 |
Date: Thu, 17 Feb 2022 10:24:03 +0100
|
|
|
e0a759 |
Subject: [PATCH] pam_usertype: only use SYS_UID_MAX for system users
|
|
|
e0a759 |
|
|
|
e0a759 |
* modules/pam_usertype/pam_usertype.c (pam_usertype_is_system): Stop
|
|
|
e0a759 |
using SYS_UID_MIN to check if it is a system account, because all
|
|
|
e0a759 |
accounts below the SYS_UID_MAX are system users.
|
|
|
e0a759 |
* modules/pam_usertype/pam_usertype.8.xml: Remove reference to SYS_UID_MIN
|
|
|
e0a759 |
as it is no longer used to calculate the system accounts.
|
|
|
e0a759 |
* configure.ac: Remove PAM_USERTYPE_SYSUIDMIN.
|
|
|
e0a759 |
|
|
|
e0a759 |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1949137
|
|
|
e0a759 |
Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
|
|
|
e0a759 |
---
|
|
|
e0a759 |
configure.ac | 5 -----
|
|
|
e0a759 |
modules/pam_usertype/pam_usertype.8.xml | 2 +-
|
|
|
e0a759 |
modules/pam_usertype/pam_usertype.c | 15 ++++++---------
|
|
|
e0a759 |
3 files changed, 7 insertions(+), 15 deletions(-)
|
|
|
e0a759 |
|
|
|
e0a759 |
diff --git a/configure.ac b/configure.ac
|
|
|
e0a759 |
index 639fc1ad..79113ad1 100644
|
|
|
e0a759 |
--- a/configure.ac
|
|
|
e0a759 |
+++ b/configure.ac
|
|
|
e0a759 |
@@ -632,11 +632,6 @@ test -n "$opt_uidmin" ||
|
|
|
e0a759 |
opt_uidmin=1000
|
|
|
e0a759 |
AC_DEFINE_UNQUOTED(PAM_USERTYPE_UIDMIN, $opt_uidmin, [Minimum regular user uid.])
|
|
|
e0a759 |
|
|
|
e0a759 |
-AC_ARG_WITH([sysuidmin], AS_HELP_STRING([--with-sysuidmin=<number>],[default value for system user min uid (101)]), opt_sysuidmin=$withval)
|
|
|
e0a759 |
-test -n "$opt_sysuidmin" ||
|
|
|
e0a759 |
- opt_sysuidmin=101
|
|
|
e0a759 |
-AC_DEFINE_UNQUOTED(PAM_USERTYPE_SYSUIDMIN, $opt_sysuidmin, [Minimum system user uid.])
|
|
|
e0a759 |
-
|
|
|
e0a759 |
AC_ARG_WITH([kernel-overflow-uid], AS_HELP_STRING([--with-kernel-overflow-uid=<number>],[kernel overflow uid, default (uint16_t)-2=65534]), opt_kerneloverflowuid=$withval)
|
|
|
e0a759 |
test -n "$opt_kerneloverflowuid" ||
|
|
|
e0a759 |
opt_kerneloverflowuid=65534
|
|
|
e0a759 |
diff --git a/modules/pam_usertype/pam_usertype.8.xml b/modules/pam_usertype/pam_usertype.8.xml
|
|
|
e0a759 |
index 7651da6e..d9307ba3 100644
|
|
|
e0a759 |
--- a/modules/pam_usertype/pam_usertype.8.xml
|
|
|
e0a759 |
+++ b/modules/pam_usertype/pam_usertype.8.xml
|
|
|
e0a759 |
@@ -31,7 +31,7 @@
|
|
|
e0a759 |
pam_usertype.so is designed to succeed or fail authentication
|
|
|
e0a759 |
based on type of the account of the authenticated user.
|
|
|
e0a759 |
The type of the account is decided with help of
|
|
|
e0a759 |
- <emphasis>SYS_UID_MIN</emphasis> and <emphasis>SYS_UID_MAX</emphasis>
|
|
|
e0a759 |
+ <emphasis>SYS_UID_MAX</emphasis>
|
|
|
e0a759 |
settings in <emphasis>/etc/login.defs</emphasis>. One use is to select
|
|
|
e0a759 |
whether to load other modules based on this test.
|
|
|
e0a759 |
</para>
|
|
|
e0a759 |
diff --git a/modules/pam_usertype/pam_usertype.c b/modules/pam_usertype/pam_usertype.c
|
|
|
e0a759 |
index d03b73b5..cfd9c8bb 100644
|
|
|
e0a759 |
--- a/modules/pam_usertype/pam_usertype.c
|
|
|
e0a759 |
+++ b/modules/pam_usertype/pam_usertype.c
|
|
|
e0a759 |
@@ -194,7 +194,6 @@ static int
|
|
|
e0a759 |
pam_usertype_is_system(pam_handle_t *pamh, uid_t uid)
|
|
|
e0a759 |
{
|
|
|
e0a759 |
uid_t uid_min;
|
|
|
e0a759 |
- uid_t sys_min;
|
|
|
e0a759 |
uid_t sys_max;
|
|
|
e0a759 |
|
|
|
e0a759 |
if (uid == (uid_t)-1) {
|
|
|
e0a759 |
@@ -202,21 +201,19 @@ pam_usertype_is_system(pam_handle_t *pamh, uid_t uid)
|
|
|
e0a759 |
return PAM_USER_UNKNOWN;
|
|
|
e0a759 |
}
|
|
|
e0a759 |
|
|
|
e0a759 |
- if (uid <= 99) {
|
|
|
e0a759 |
- /* Reserved. */
|
|
|
e0a759 |
- return PAM_SUCCESS;
|
|
|
e0a759 |
- }
|
|
|
e0a759 |
-
|
|
|
e0a759 |
if (uid == PAM_USERTYPE_OVERFLOW_UID) {
|
|
|
e0a759 |
/* nobody */
|
|
|
e0a759 |
return PAM_SUCCESS;
|
|
|
e0a759 |
}
|
|
|
e0a759 |
|
|
|
e0a759 |
uid_min = pam_usertype_get_id(pamh, "UID_MIN", PAM_USERTYPE_UIDMIN);
|
|
|
e0a759 |
- sys_min = pam_usertype_get_id(pamh, "SYS_UID_MIN", PAM_USERTYPE_SYSUIDMIN);
|
|
|
e0a759 |
sys_max = pam_usertype_get_id(pamh, "SYS_UID_MAX", uid_min - 1);
|
|
|
e0a759 |
|
|
|
e0a759 |
- return uid >= sys_min && uid <= sys_max ? PAM_SUCCESS : PAM_AUTH_ERR;
|
|
|
e0a759 |
+ if (uid <= sys_max && uid < uid_min) {
|
|
|
e0a759 |
+ return PAM_SUCCESS;
|
|
|
e0a759 |
+ }
|
|
|
e0a759 |
+
|
|
|
e0a759 |
+ return PAM_AUTH_ERR;
|
|
|
e0a759 |
}
|
|
|
e0a759 |
|
|
|
e0a759 |
static int
|
|
|
e0a759 |
@@ -253,7 +250,7 @@ pam_usertype_evaluate(struct pam_usertype_opts *opts,
|
|
|
e0a759 |
|
|
|
e0a759 |
/**
|
|
|
e0a759 |
* Arguments:
|
|
|
e0a759 |
- * - issystem: uid in <SYS_UID_MIN, SYS_UID_MAX>
|
|
|
e0a759 |
+ * - issystem: uid less than SYS_UID_MAX
|
|
|
e0a759 |
* - isregular: not issystem
|
|
|
e0a759 |
* - use_uid: use user that runs application not that is being authenticate (same as in pam_succeed_if)
|
|
|
e0a759 |
* - audit: log unknown users to syslog
|
|
|
e0a759 |
--
|
|
|
e0a759 |
2.36.1
|
|
|
e0a759 |
|