Thorsten Kukuk (kukuk@suse.de) pointed out a couple problems with

pam_apparmor and here's a patch to address most of them-- * header comment was incorrect * use pam_get_user() instead of pam_get_item() * return an error if we're unable to change to the DEFAULT hat In addition, this has a fix to make sure that the magic token we read from /dev/urandom is not null (which would cause the hat probing to fail if we need to fall back to the DEFAULT hat).
2025-03-04 08:24:42 +01:00 · 2006-09-14 12:44:01 +00:00 · 2006-09-14 12:44:01 +00:00 · 4f4a56859e
commit 4f4a56859e
parent 16ede09541
1 changed files with 23 additions and 11 deletions
--- a/changehat/pam_apparmor/pam_apparmor.c
+++ b/changehat/pam_apparmor/pam_apparmor.c
@ -1,12 +1,13 @@
 /* pam_apparmor module */

 /*
- * Modified for pam_motd by Ben Collins <bcollins@debian.org>
- *
- * Based off of:
 * $Id$
 *
- * Written by Michael K. Johnson <johnsonm@redhat.com> 1996/10/24
+ * Written by Jesse Michael <jmichael@suse.de> 2006/08/24
+ *
+ * Based off of pam_motd by:
+ *   Ben Collins <bcollins@debian.org> 2005/10/04
+ *   Michael K. Johnson <johnsonm@redhat.com> 1996/10/24
 *
 */

@ -20,6 +21,7 @@
 #include <pwd.h>

 #include <security/_pam_macros.h>
+
 /*
 * here, we make a definition for the externally accessible function
 * in this file (this definition is required for static a module
@ -44,13 +46,13 @@ PAM_EXTERN
 int pam_sm_open_session(pam_handle_t *pamh, int flags,
 			int argc, const char **argv)
 {
-	int fd, retval = PAM_IGNORE;
-	unsigned int magic_token = 0xDEADC0ED;
-	const void *user;
+	int fd, retval;
+	unsigned int magic_token;
+	const char *user;

 	/* grab the target user name */
-	retval = pam_get_item(pamh, PAM_USER, &user);
-	if (retval != PAM_SUCCESS || user == NULL || *(const char *)user == '\0') {
+	retval = pam_get_user(pamh, &user, NULL);
+	if (retval != PAM_SUCCESS || user == NULL || *user == '\0') {
 		return PAM_USER_UNKNOWN;
 	}

@ -58,7 +60,15 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
 	if (fd < 0) {
 		return PAM_PERM_DENIED;
 	}
-	retval = read(fd, (void *) &magic_token, sizeof(magic_token));
+
+	/* the magic token needs to be non-zero otherwise, we won't be able to 
+	   probe for hats */
+	do {
+		retval = read(fd, (void *) &magic_token, sizeof(magic_token));
+		if (retval < 0) {
+			return PAM_PERM_DENIED;
+		}
+	} while (magic_token == 0);

 	close(fd);

@ -74,11 +84,13 @@ int pam_sm_open_session(pam_handle_t *pamh, int flags,
 				/* failed to change into default hat, so we'll 
 				   jump back out */
 				retval = change_hat(NULL, magic_token);
+				return PAM_PERM_DENIED;
 			}
 		}
 	}

-	/* zero out the magic token so we can't get back out */
+	/* zero out the magic token so an attacker wouldn't be able to just grab 
+	   it out of process memory and instead would need to brute force it */
 	memset(&magic_token, 0, sizeof(magic_token));

 	return PAM_SUCCESS;