[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH patch finished & third shot at PAM

[Igor intended that to go to the list]
--- Begin Message --- 
On Wed, Nov 01, 2000 at 04:37:37PM +0100, Robert Bihlmeyer wrote:
> I've finally banged my ssh fixes into shape. The new stuff is uploaded
> to <URL:http://pluto.tuwien.ac.at/~robbe/debian/hurd/> as I write
> this.
> 
> News:
> 
> * ssh-askpass-gnome is built now
> * will depend on PAM if the architecture is != hurd-i386
> 
> So my sources should build fine on other archs, too. There's now a
> patch relative to the debian source in the directory mentioned above,
> so if you trust Phil Hands, you only need to peruse that 200 lines.
> 

Speacking of which... Here's my latest effort in patching PAM. I tried to be 
as POSIX compliant as possible and it should make more people happy
since there's hardly any __GNU__. Again, just put the attached file into the 
debian/patches directory and name it something like 020_hurd. Then just run 
the debian build scripts. However expect some problems at the end, ld will 
complain about not being able to find -llibpam_misc which will infact be 
located in one of the -L directories, why it does that? I don't know and I 
haven't gotten to the bottom of it. After that's fixed it also needs to be
tested for any runtime problems.

I've also started working on OpenLDAP, that's not too difficult, just several 
instances of use of MAXPATHLEN and MAXHOSTNAMELEN. It also depended on 
libsasl7 which wasn't in the archive, I've also been able to compile it for 
Hurd with minor patching. This is not yet available for public consumption 
because I haven't had time to produce an organized patch.

For the next couple of weeks I'll be lying low because I won't have almost any 
time for hurd related work. And in the mean time I leave you to ponder on this 
question: according to SUSv2 the maximum hostname length is 255, and there is 
no system dependent macro or runtime poll function like sysconf that modifies 
that value. So how should programs that use MAXHOSTNAMELEN be corrected for 
POSIX compliance?

Igor


diff -ruN -x security Linux-PAM-0.72.orig/modules/pam_filter/pam_filter.c Linux-PAM-0.72/modules/pam_filter/pam_filter.c
--- Linux-PAM-0.72.orig/modules/pam_filter/pam_filter.c	Sun Oct 29 14:31:51 2000
+++ Linux-PAM-0.72/modules/pam_filter/pam_filter.c	Sun Oct 29 00:17:57 2000
@@ -19,7 +19,7 @@
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <sys/ioctl.h>
-#include <termio.h>
+#include <termios.h>
 
 #include <signal.h>
 
@@ -276,7 +276,7 @@
 {
     int status=-1;
     char terminal[TERMINAL_LEN];
-    struct termio stored_mode;           /* initial terminal mode settings */
+    struct termios stored_mode;           /* initial terminal mode settings */
     int fd[2], child=0, child2=0, aterminal;
 
     if (filtername == NULL || *filtername != '/') {
@@ -305,13 +305,13 @@
 
 	/* this is termio terminal handling... */
 
-	if (ioctl(STDIN_FILENO, TCGETA, (char *) &stored_mode ) < 0) {
+	if (tcgetattr(STDIN_FILENO, &stored_mode) < 0) {
 	    /* in trouble, so close down */
 	    close(fd[0]);
 	    _pam_log(LOG_CRIT, "couldn't copy terminal mode");
 	    return PAM_ABORT;
 	} else {
-	    struct termio t_mode = stored_mode;
+	    struct termios t_mode = stored_mode;
 
 	    t_mode.c_iflag = 0;            /* no input control */
 	    t_mode.c_oflag &= ~OPOST;      /* no ouput post processing */
@@ -324,7 +324,7 @@
 	    t_mode.c_cc[VMIN] = 1; /* number of chars to satisfy a read */
 	    t_mode.c_cc[VTIME] = 0;          /* 0/10th second for chars */
 
-	    if (ioctl(STDIN_FILENO, TCSETA, (char *) &t_mode) < 0) {
+	    if (tcsetattr(STDIN_FILENO, TCSAFLUSH, &t_mode) < 0) {
 		close(fd[0]);
 		_pam_log(LOG_WARNING, "couldn't put terminal in RAW mode");
 		return PAM_ABORT;
@@ -354,7 +354,7 @@
 
 	_pam_log(LOG_WARNING,"first fork failed");
 	if (aterminal) {
-	    (void) ioctl(STDIN_FILENO, TCSETA, (char *) &stored_mode);
+	    (void) tcsetattr(STDIN_FILENO, TCSAFLUSH, &stored_mode);
 	}
 
 	return PAM_AUTH_ERR;
@@ -396,7 +396,7 @@
 	    /* initialize the child's terminal to be the way the
 	       parent's was before we set it into RAW mode */
 
-	    if (ioctl(fd[1], TCSETA, (char *) &stored_mode) < 0) {
+	    if (tcsetattr(fd[1], TCSANOW, &stored_mode) < 0) {
 		_pam_log(LOG_WARNING,"cannot set slave terminal mode; %s"
 			 ,terminal);
 		close(fd[1]);
@@ -570,7 +570,7 @@
 
     if (aterminal) {
 	/* reset to initial terminal mode */
-	(void) ioctl(STDIN_FILENO, TCSETA, (char *) &stored_mode);
+	(void) tcsetattr(STDIN_FILENO, TCSANOW, &stored_mode);
     }
 
     if (ctrl & FILTER_DEBUG) {
diff -ruN -x security Linux-PAM-0.72.orig/modules/pam_limits/pam_limits.c Linux-PAM-0.72/modules/pam_limits/pam_limits.c
--- Linux-PAM-0.72.orig/modules/pam_limits/pam_limits.c	Sun Oct 29 14:31:51 2000
+++ Linux-PAM-0.72/modules/pam_limits/pam_limits.c	Sun Oct 29 00:12:13 2000
@@ -289,8 +289,10 @@
 	limit_item = RLIMIT_NOFILE;
     else if (strcmp(lim_item, "memlock") == 0)
 	limit_item = RLIMIT_MEMLOCK;
+#ifdef RLIMIT_AS
     else if (strcmp(lim_item, "as") == 0)
 	limit_item = RLIMIT_AS;
+#endif
     else if (strcmp(lim_item, "maxlogins") == 0) {
 	limit_item = LIMIT_LOGIN;
 	flag_numsyslogins = 0;
@@ -343,7 +345,9 @@
         case RLIMIT_CORE:
         case RLIMIT_RSS:
         case RLIMIT_MEMLOCK:
+#ifdef RLIMIT_AS
         case RLIMIT_AS:
+#endif
             limit_value *= 1024;
             break;
     }
diff -ruN -x security Linux-PAM-0.72.orig/modules/pam_rhosts/Makefile Linux-PAM-0.72/modules/pam_rhosts/Makefile
--- Linux-PAM-0.72.orig/modules/pam_rhosts/Makefile	Sun Oct 29 14:31:51 2000
+++ Linux-PAM-0.72/modules/pam_rhosts/Makefile	Sun Oct 29 13:51:41 2000
@@ -26,11 +26,14 @@
 ifeq ($(shell if [ -f /usr/include/fsuid.h ]; then echo yes ; fi),yes)
  CFLAGS += -DHAVE_FSUID_H
 endif
-ifeq ($(shell if [ -f /usr/include/sys/fsuid.h ]; then echo yes ; fi),yes)
- CFLAGS += -DHAVE_SYS_FSUID_H -D_GNU_SOURCE
-endif
+#ifeq ($(shell if [ -f /usr/include/sys/fsuid.h ]; then echo yes ; fi),yes)
+ #CFLAGS += -DHAVE_SYS_FSUID_H -D_GNU_SOURCE
+#endif
 ifeq ($(shell if [ -f /usr/include/endian.h ]; then echo yes ; fi),yes)
  CFLAGS += -DHAVE_ENDIAN_H
+endif
+ifeq ($(shell if [ -f /usr/include/net/if.h ]; then echo yes ; fi),yes)
+ CFLAGS += -DHAVE_NET_IF_H
 endif
 
 ####################### don't edit below #######################
diff -ruN -x security Linux-PAM-0.72.orig/modules/pam_rhosts/pam_rhosts_auth.c Linux-PAM-0.72/modules/pam_rhosts/pam_rhosts_auth.c
--- Linux-PAM-0.72.orig/modules/pam_rhosts/pam_rhosts_auth.c	Sun Oct 29 14:31:51 2000
+++ Linux-PAM-0.72/modules/pam_rhosts/pam_rhosts_auth.c	Sun Oct 29 15:01:21 2000
@@ -48,6 +48,10 @@
 #include <sys/fsuid.h>
 #endif
 
+#ifdef HAVE_NET_IF_H
+#include <net/if.h>
+#endif
+
 #include <sys/types.h>
 #include <sys/uio.h>
 #include <string.h>
@@ -64,18 +68,9 @@
 #include <sys/time.h>
 #include <arpa/inet.h>
 
-#ifndef MAXDNAME
-#define MAXDNAME  256
-#endif
-
 #include <stdarg.h>
 #include <ctype.h>
 
-#include <net/if.h>
-#ifdef HAVE_SYS_FSUID_H
-#include <sys/fsuid.h>
-#endif
-
 #include <pwd.h>
 #include <grp.h>
 #include <sys/file.h>
@@ -91,8 +86,13 @@
 #include <security/pam_modules.h>
 #include <security/_pam_macros.h>
 
+#ifdef _ISOC9X_SOURCE
+#include <inttypes.h>
+#define U32 uint32_t
+#else
 /* to the best of my knowledge, all modern UNIX boxes have 32 bit integers */
 #define U32 unsigned int
+#endif /* _ISOC9X_SOURCE */
 
 
 /*
@@ -359,11 +359,26 @@
     register const char *user;
     register char *p;
     int hcheck, ucheck;
+#ifdef MAXHOSTNAMELEN
     char buf[MAXHOSTNAMELEN + 128];                       /* host + login */
+#else
+		char *buf = 0, *old_buf = 0;
+		size_t buf_len = 0;
+#endif
 
+#ifdef MAXHOSTNAMLEN
     buf[sizeof (buf)-1] = '\0';                 	/* terminate line */
 
-    while (fgets(buf, sizeof(buf), hostf) != NULL) {   /* hostf file line */
+    while (fgets(buf, sizeof(buf), hostf) != NULL)   /* hostf file line */
+#else
+    while (getline(&buf, &buf_len, hostf) > 0)
+#endif
+    {
+#ifndef MAXHOSTNAMELEN
+        if (!buf)
+          free(old_buf);
+        old_buf = buf;
+#endif
         p = buf;                              /* from beginning of file.. */
 
 	/* Skip empty or comment lines */
@@ -371,6 +386,7 @@
 	    continue;
 	}
 
+#ifdef MAXHOSTNAMELEN
 	/* Skip lines that are too long. */
 	if (strchr(p, '\n') == NULL) {
 	    int ch = getc(hostf);
@@ -379,6 +395,7 @@
 		ch = getc(hostf);
 	    continue;
 	}
+#endif
 
 	/*
 	 * If there is a hostname at the start of the line.  Set it to
@@ -432,6 +449,9 @@
 	    /* Neither, go on looking for match */
 	}
     }
+#ifndef MAXHOSTNAMELEN
+    free(buf);
+#endif
 
     return (1);
 }
@@ -457,7 +477,11 @@
     FILE *hostf;
     uid_t uid;
     int answer;
+#ifdef MAXPATHLEN
     char pbuf[MAXPATHLEN];               /* potential buffer overrun */
+#else
+    char *pbuf = 0;
+#endif
 
     if ((!superuser||opts->opt_hosts_equiv_rootok) && !opts->opt_no_hosts_equiv ) {
 
@@ -491,6 +515,7 @@
 	return(1);
     }
 
+#ifdef MAXPATHLEN
     /* check for buffer overrun */
     if (strlen(pwd->pw_dir) + sizeof(USER_RHOSTS_FILE) + 2 >= MAXPATHLEN) {
 	if (opts->opt_debug)
@@ -500,6 +525,26 @@
 
     (void) strcpy(pbuf, pwd->pw_dir);
     (void) strcat(pbuf, USER_RHOSTS_FILE);
+#else
+    {
+        long int pbuf_len = strlen(pwd->pw_dir) + sizeof(USER_RHOSTS_FILE);
+        long int path_max;
+        pbuf = (char *)malloc(pbuf_len + 1);
+        if (!pbuf) {
+           if (opts->opt_debug)
+               _pam_log(LOG_DEBUG,
+                   "not enough memory to store home directory for `%s'", luser);
+            return 1;
+        }
+        snprintf(pbuf, pbuf_len, "%s%s", pwd->pw_dir, USER_RHOSTS_FILE);
+        path_max = pathconf(pbuf, _PC_PATH_MAX);
+        if(!(path_max == -1 && !errno) && pbuf_len >= path_max)  {
+	    if (opts->opt_debug)
+		_pam_log(LOG_DEBUG,"home directory for `%s' is too long",luser);
+	    return 1;                               /* to dangerous to try */
+	}
+    }
+#endif
 
     /*
      * Change effective uid while _reading_ .rhosts. (not just
@@ -593,6 +638,9 @@
 
     if (hostf != NULL)
         (void) fclose(hostf);
+#ifdef MAXPATHLEN
+    free(pbuf);
+#endif
 
     return answer;
 }
diff -ruN -x security Linux-PAM-0.72.orig/modules/pam_unix/unix_chkpwd.c Linux-PAM-0.72/modules/pam_unix/unix_chkpwd.c
--- Linux-PAM-0.72.orig/modules/pam_unix/unix_chkpwd.c	Sun Oct 29 14:31:51 2000
+++ Linux-PAM-0.72/modules/pam_unix/unix_chkpwd.c	Sun Oct 29 13:43:06 2000
@@ -51,6 +51,11 @@
 
 static void su_sighandler(int sig)
 {
+#ifndef SA_RESETHAND
+	/* emulate the behavior of the SA_RESETHAND flag */
+	if (sig == SIGILL || sig == SIGTRAP || sig == SIGBUS || sig == SIGSEGV)
+		signal(sig, SIG_DFL);
+#endif
 	if (sig > 0) {
 		_log_err(LOG_NOTICE, "caught signal %d.", sig);
 		exit(sig);
@@ -66,7 +71,9 @@
 	 */
 	(void) memset((void *) &action, 0, sizeof(action));
 	action.sa_handler = su_sighandler;
+#ifdef SA_RESETHAND
 	action.sa_flags = SA_RESETHAND;
+#endif
 	(void) sigaction(SIGILL, &action, NULL);
 	(void) sigaction(SIGTRAP, &action, NULL);
 	(void) sigaction(SIGBUS, &action, NULL);
@@ -130,9 +137,9 @@
 
 	/* Hack off SysVR4 password aging */
 	{
-	    char tmp;
+	    char *tmp;
 
-	    if (tmp == strrchr(p, ',') != NULL) tmp = '\0';
+	    if ((tmp = strrchr(p, ',')) != NULL) *tmp = '\0';
 	}
 
 	/* the moment of truth -- do we agree with the password? */

--- End Message ---

-- 
Robbe
Reply to: