From nobody@FreeBSD.org  Sat Jan  6 11:47:16 2007
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 13D7916A407
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  6 Jan 2007 11:47:16 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 04F5A13C44C
	for <freebsd-gnats-submit@FreeBSD.org>; Sat,  6 Jan 2007 11:47:16 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id l06BlFhu005333
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 6 Jan 2007 11:47:15 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id l06BlFdV005332;
	Sat, 6 Jan 2007 11:47:15 GMT
	(envelope-from nobody)
Message-Id: <200701061147.l06BlFdV005332@www.freebsd.org>
Date: Sat, 6 Jan 2007 11:47:15 GMT
From: TANAKA Hiroyuki<kattyo@abk.nu>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pam_nologin(8) ignore the login class capability nologin except default class.
X-Send-Pr-Version: www-3.0

>Number:         107612
>Category:       bin
>Synopsis:       [patch] pam_nologin(8) ignore the login class capability nologin except default class.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    yar
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 06 11:50:20 GMT 2007
>Closed-Date:    Thu Jul 12 14:28:28 GMT 2007
>Last-Modified:  Thu Jul 12 14:28:28 GMT 2007
>Originator:     TANAKA Hiroyuki
>Release:        6.2-RC1
>Organization:
>Environment:
FreeBSD tachikoma 6.2-RC1 FreeBSD 6.2-RC1 #0: Thu Nov 16 05:12:08 UTC 2006     root@opus.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP  i386
>Description:
The pam_nologin module is only use the "default" entry in /etc/login.conf database.
I want to use login class for local users to control nologin with specific pam entries.
>How-To-Repeat:

>Fix:


Patch attached with submission follows:

--- pam_nologin.c.org	Sat Apr 13 07:27:21 2002
+++ pam_nologin.c	Sat Jan  6 20:18:32 2007
@@ -73,7 +73,11 @@
 
 	PAM_LOG("Got user: %s", user);
 
-	lc = login_getclass(NULL);
+	pwd = getpwnam(user);
+	if (pwd && pwd->pw_uid == 0)
+		retval = PAM_SUCCESS;
+	
+	lc = login_getpwclass(pwd);
 	nologin = login_getcapstr(lc, "nologin", nologin_def, nologin_def);
 	login_close(lc);
 	lc = NULL;
@@ -84,15 +88,10 @@
 
 	PAM_LOG("Opened %s file", NOLOGIN);
 
-	pwd = getpwnam(user);
-	if (pwd && pwd->pw_uid == 0)
-		retval = PAM_SUCCESS;
-	else {
-		if (!pwd)
-			retval = PAM_USER_UNKNOWN;
-		else
-			retval = PAM_AUTH_ERR;
-	}
+	if (!pwd)
+		retval = PAM_USER_UNKNOWN;
+	else
+		retval = PAM_AUTH_ERR;
 
 	if (fstat(fd, &st) < 0)
 		return (retval);

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: remko 
Responsible-Changed-When: Sun Jan 7 11:23:49 UTC 2007 
Responsible-Changed-Why:  
hello DES, i thought this was your area, can you have a look at this 
ticket please? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107612 

From: TANAKA Hiroyuki <kattyo@abk.nu>
To: bug-followup@FreeBSD.org
Cc: kattyo@abk.nu
Subject: Re: bin/107612: [patch] pam_nologin(8) ignore the login class capability nologin except default class.
Date: Mon, 08 Jan 2007 04:54:39 +0900

 --------------Boundary_mHIpGgz/nyLIvmr
 Content-Type: text/plain; charset=US-ASCII
 Content-Transfer-Encoding: 7bit
 
 Hi,
 
 My patch is wrong, root cannot login.
 I send the new one.
 -- 
 TANAKA Hiroyuki <kattyo@abk.nu>
 
 --------------Boundary_mHIpGgz/nyLIvmr
 Content-Type: text/plain; name="pam_nologin.c.diff.txt"
 Content-Transfer-Encoding: base64
 Content-Disposition: attachment; filename="pam_nologin.c.diff.txt"
 
 LS0tIHBhbV9ub2xvZ2luLmMub3JnCVNhdCBBcHIgMTMgMDc6Mjc6MjEgMjAwMgorKysgcGFt
 X25vbG9naW4uYwlNb24gSmFuICA4IDA0OjM4OjA2IDIwMDcKQEAgLTczLDE3ICs3Myw2IEBA
 CiAKIAlQQU1fTE9HKCJHb3QgdXNlcjogJXMiLCB1c2VyKTsKIAotCWxjID0gbG9naW5fZ2V0
 Y2xhc3MoTlVMTCk7Ci0Jbm9sb2dpbiA9IGxvZ2luX2dldGNhcHN0cihsYywgIm5vbG9naW4i
 LCBub2xvZ2luX2RlZiwgbm9sb2dpbl9kZWYpOwotCWxvZ2luX2Nsb3NlKGxjKTsKLQlsYyA9
 IE5VTEw7Ci0KLQlmZCA9IG9wZW4obm9sb2dpbiwgT19SRE9OTFksIDApOwotCWlmIChmZCA8
 IDApCi0JCXJldHVybiAoUEFNX1NVQ0NFU1MpOwotCi0JUEFNX0xPRygiT3BlbmVkICVzIGZp
 bGUiLCBOT0xPR0lOKTsKLQogCXB3ZCA9IGdldHB3bmFtKHVzZXIpOwogCWlmIChwd2QgJiYg
 cHdkLT5wd191aWQgPT0gMCkKIAkJcmV0dmFsID0gUEFNX1NVQ0NFU1M7CkBAIC05Myw2ICs4
 MiwxNyBAQAogCQllbHNlCiAJCQlyZXR2YWwgPSBQQU1fQVVUSF9FUlI7CiAJfQorCQorCWxj
 ID0gbG9naW5fZ2V0cHdjbGFzcyhwd2QpOworCW5vbG9naW4gPSBsb2dpbl9nZXRjYXBzdHIo
 bGMsICJub2xvZ2luIiwgbm9sb2dpbl9kZWYsIG5vbG9naW5fZGVmKTsKKwlsb2dpbl9jbG9z
 ZShsYyk7CisJbGMgPSBOVUxMOworCisJZmQgPSBvcGVuKG5vbG9naW4sIE9fUkRPTkxZLCAw
 KTsKKwlpZiAoZmQgPCAwKQorCQlyZXR1cm4gKFBBTV9TVUNDRVNTKTsKKworCVBBTV9MT0co
 Ik9wZW5lZCAlcyBmaWxlIiwgTk9MT0dJTik7CiAKIAlpZiAoZnN0YXQoZmQsICZzdCkgPCAw
 KQogCQlyZXR1cm4gKHJldHZhbCk7Cv==
 
 --------------Boundary_mHIpGgz/nyLIvmr--

From: Yar Tikhiy <yar@comp.chem.msu.su>
To: bug-followup@FreeBSD.org, kattyo@abk.nu
Cc: des@FreeBSD.org
Subject: Re: bin/107612: [patch] pam_nologin(8) ignore the login class capability nologin except default class.
Date: Thu, 10 May 2007 18:36:21 +0400

 Here's a more sophisticated patch for pam_nologin(8) that
 a) checks for `ignorenologin' capability in login.conf(5)
 b) does more thorough error checks
 c) avoids referencing deallocated login_cap_t resources.
 
 However, there's a deeper problem related to pam_nologin(8),
 see PR bin/112574.
 
 -- 
 Yar
 
 Index: pam_nologin.c
 ===================================================================
 RCS file: /home/ncvs/src/lib/libpam/modules/pam_nologin/pam_nologin.c,v
 retrieving revision 1.11
 diff -u -p -r1.11 pam_nologin.c
 --- pam_nologin.c	20 Mar 2006 16:56:08 -0000	1.11
 +++ pam_nologin.c	10 May 2007 13:15:37 -0000
 @@ -64,6 +64,7 @@ pam_sm_authenticate(pam_handle_t *pamh, 
  	struct passwd *pwd;
  	struct stat st;
  	int retval, fd;
 +	ssize_t ss;
  	const char *user, *nologin;
  	char *mtmp;
  
 @@ -73,42 +74,49 @@ pam_sm_authenticate(pam_handle_t *pamh, 
  
  	PAM_LOG("Got user: %s", user);
  
 -	lc = login_getclass(NULL);
 -	nologin = login_getcapstr(lc, "nologin", nologin_def, nologin_def);
 -	login_close(lc);
 -	lc = NULL;
 +	pwd = getpwnam(user);
 +	if (pwd == NULL)
 +		return (PAM_USER_UNKNOWN);
  
 -	fd = open(nologin, O_RDONLY, 0);
 -	if (fd < 0)
 +	lc = login_getpwclass(pwd);
 +	if (lc == NULL) {
 +		PAM_LOG("Unable to get login class for user %s", user);
 +		return (PAM_SERVICE_ERR);
 +	}
 +
 +	if (login_getcapbool(lc, "ignorenologin", 0)) {
 +		login_close(lc);
  		return (PAM_SUCCESS);
 +	}
  
 -	PAM_LOG("Opened %s file", NOLOGIN);
 +	nologin = login_getcapstr(lc, "nologin", nologin_def, nologin_def);
  
 -	pwd = getpwnam(user);
 -	if (pwd && pwd->pw_uid == 0)
 -		retval = PAM_SUCCESS;
 -	else {
 -		if (!pwd)
 -			retval = PAM_USER_UNKNOWN;
 -		else
 -			retval = PAM_AUTH_ERR;
 +	fd = open(nologin, O_RDONLY, 0);
 +	if (fd < 0) {
 +		login_close(lc);
 +		return (PAM_SUCCESS);
  	}
  
 -	if (fstat(fd, &st) < 0)
 -		return (retval);
 +	PAM_LOG("Opened %s file", nologin);
  
 -	mtmp = malloc(st.st_size + 1);
 -	if (mtmp != NULL) {
 -		read(fd, mtmp, st.st_size);
 -		mtmp[st.st_size] = '\0';
 -		pam_error(pamh, "%s", mtmp);
 -		free(mtmp);
 +	if (fstat(fd, &st) == 0) {
 +		mtmp = malloc(st.st_size + 1);
 +		if (mtmp != NULL) {
 +			ss = read(fd, mtmp, st.st_size);
 +			if (ss > 0) {
 +				mtmp[ss] = '\0';
 +				pam_error(pamh, "%s", mtmp);
 +			}
 +			free(mtmp);
 +		}
  	}
  
 -	if (retval != PAM_SUCCESS)
 -		PAM_VERBOSE_ERROR("Administrator refusing you: %s", NOLOGIN);
 +	PAM_VERBOSE_ERROR("Administrator refusing you: %s", nologin);
 +
 +	close(fd);
 +	login_close(lc);
  
 -	return (retval);
 +	return (PAM_AUTH_ERR);
  }
  
  PAM_EXTERN int

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/107612: commit references a PR
Date: Thu, 14 Jun 2007 13:07:14 +0000 (UTC)

 yar         2007-06-14 13:07:07 UTC
 
   FreeBSD src repository
 
   Modified files:
     lib/libpam/modules/pam_nologin pam_nologin.8 pam_nologin.c 
   Log:
   Use the current user's login class for the decisions about where
   the nologin(5) file is located and whether the user may bypass its
   restriction.
   
   Add some error checks.
   
   Approved by:    des
   PR:             bin/107612
   
   Revision  Changes    Path
   1.7       +16 -15    src/lib/libpam/modules/pam_nologin/pam_nologin.8
   1.13      +42 -29    src/lib/libpam/modules/pam_nologin/pam_nologin.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: yar 
State-Changed-When: Thu Jun 14 13:20:50 UTC 2007 
State-Changed-Why:  
Fixed in CURRENT, thanks! 


Responsible-Changed-From-To: des->yar 
Responsible-Changed-By: yar 
Responsible-Changed-When: Thu Jun 14 13:20:50 UTC 2007 
Responsible-Changed-Why:  
Fixed in CURRENT, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107612 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/107612: commit references a PR
Date: Thu, 12 Jul 2007 14:12:05 +0000 (UTC)

 yar         2007-07-12 14:11:57 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_6)
     lib/libpam/modules/pam_nologin pam_nologin.8 pam_nologin.c 
   Log:
   MFC:
   
     Use the current user's login class for the decisions about where
     the nologin(5) file is located and whether the user may bypass its
     restriction.
   
     Add some error checks.
   
     Revision  Changes    Path
     1.7       +16 -15    src/lib/libpam/modules/pam_nologin/pam_nologin.8
     1.13      +42 -29    src/lib/libpam/modules/pam_nologin/pam_nologin.c
   
   Note: To avoid POLA violation, the merged module still lets root
   in irrespective of login.conf settings.  In HEAD, root has to have
   an explicit "ignorenologin" capability to bypass nologin(5).
   
   PR:     bin/107612
   
   Revision   Changes    Path
   1.5.14.1   +17 -16    src/lib/libpam/modules/pam_nologin/pam_nologin.8
   1.10.14.1  +47 -28    src/lib/libpam/modules/pam_nologin/pam_nologin.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: yar 
State-Changed-When: Thu Jul 12 14:27:40 UTC 2007 
State-Changed-Why:  
Now fixed both in CURRENT and in 6-STABLE, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107612 
>Unformatted:
