From 940747f88c16e029b69a74e80a2e94f65cb3e628 Mon Sep 17 00:00:00 2001 From: Thorsten Kukuk Date: Thu, 14 Nov 2024 10:27:28 +0100 Subject: [PATCH] pam_access: rework resolving of tokens as hostname * modules/pam_access/pam_access.c: separate resolving of IP addresses from hostnames. Don't resolve TTYs or display variables as hostname (#834). Add "nodns" option to disallow resolving of tokens as hostname. * modules/pam_access/pam_access.8.xml: document nodns option * modules/pam_access/access.conf.5.xml: document that hostnames should be written as FQHN. --- modules/pam_access/access.conf.5.xml | 4 ++ modules/pam_access/pam_access.8.xml | 46 ++++++++++++------ modules/pam_access/pam_access.c | 72 +++++++++++++++++++++++++++- 3 files changed, 105 insertions(+), 17 deletions(-) diff --git a/modules/pam_access/access.conf.5.xml b/modules/pam_access/access.conf.5.xml index 0b93db00..10b8ba92 100644 --- a/modules/pam_access/access.conf.5.xml +++ b/modules/pam_access/access.conf.5.xml @@ -233,6 +233,10 @@ An IPv6 link local host address must contain the interface identifier. IPv6 link local network/netmask is not supported. + + Hostnames should be written as Fully-Qualified Host Name (FQHN) to avoid + confusion with device names or PAM service names. + diff --git a/modules/pam_access/pam_access.8.xml b/modules/pam_access/pam_access.8.xml index c991d7a0..71a4f7ee 100644 --- a/modules/pam_access/pam_access.8.xml +++ b/modules/pam_access/pam_access.8.xml @@ -22,11 +22,14 @@ debug + + noaudit + nodefgroup - noaudit + nodns quiet_log @@ -132,6 +135,33 @@ + + + nodefgroup + + + + User tokens which are not enclosed in parentheses will not be + matched against the group database. The backwards compatible default is + to try the group database match even for tokens not enclosed + in parentheses. + + + + + + + nodns + + + + Do not try to resolve tokens as hostnames, only IPv4 and IPv6 + addresses will be resolved. Which means to allow login from a + remote host, the IP addresses need to be specified in access.conf. + + + + quiet_log @@ -185,20 +215,6 @@ - - - nodefgroup - - - - User tokens which are not enclosed in parentheses will not be - matched against the group database. The backwards compatible default is - to try the group database match even for tokens not enclosed - in parentheses. - - - - diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c index 48e7c7e9..109115e9 100644 --- a/modules/pam_access/pam_access.c +++ b/modules/pam_access/pam_access.c @@ -100,6 +100,7 @@ struct login_info { int only_new_group_syntax; /* Only allow group entries of the form "(xyz)" */ int noaudit; /* Do not audit denials */ int quiet_log; /* Do not log denials */ + int nodns; /* Do not try to resolve tokens as hostnames */ const char *fs; /* field separator */ const char *sep; /* list-element separator */ int from_remote_host; /* If PAM_RHOST was used for from */ @@ -154,6 +155,8 @@ parse_args(pam_handle_t *pamh, struct login_info *loginfo, loginfo->noaudit = YES; } else if (strcmp (argv[i], "quiet_log") == 0) { loginfo->quiet_log = YES; + } else if (strcmp (argv[i], "nodns") == 0) { + loginfo->nodns = YES; } else { pam_syslog(pamh, LOG_ERR, "unrecognized option [%s]", argv[i]); } @@ -820,7 +823,7 @@ remote_match (pam_handle_t *pamh, char *tok, struct login_info *item) if ((str_len = strlen(string)) > tok_len && strcasecmp(tok, string + str_len - tok_len) == 0) return YES; - } else if (tok[tok_len - 1] == '.') { /* internet network numbers (end with ".") */ + } else if (tok[tok_len - 1] == '.') { /* internet network numbers/subnet (end with ".") */ struct addrinfo hint; memset (&hint, '\0', sizeof (hint)); @@ -895,6 +898,39 @@ string_match (pam_handle_t *pamh, const char *tok, const char *string, } +static int +is_device (pam_handle_t *pamh, const char *tok) +{ + struct stat st; + const char *dev = "/dev/"; + char *devname; + + devname = malloc (strlen(dev) + strlen (tok) + 1); + if (devname == NULL) { + pam_syslog(pamh, LOG_ERR, "Cannot allocate memory for device name: %m"); + /* + * We should return an error and abort, but pam_access has no good + * error handling. + */ + return NO; + } + + char *cp = stpcpy (devname, dev); + strcpy (cp, tok); + + if (lstat(devname, &st) != 0) + { + free (devname); + return NO; + } + free (devname); + + if (S_ISCHR(st.st_mode)) + return YES; + + return NO; +} + /* network_netmask_match - match a string against one token * where string is a hostname or ip (v4,v6) address and tok * represents either a hostname, a single ip (v4,v6) address @@ -956,10 +992,42 @@ network_netmask_match (pam_handle_t *pamh, return NO; } } + else if (isipaddr(tok, NULL, NULL) == YES) + { + if (getaddrinfo (tok, NULL, NULL, &ai) != 0) + { + if (item->debug) + pam_syslog(pamh, LOG_DEBUG, "cannot resolve IP address \"%s\"", tok); + + return NO; + } + netmask_ptr = NULL; + } + else if (item->nodns) + { + /* Only hostnames are left, which we would need to resolve via DNS */ + return NO; + } else { + /* Bail out on X11 Display entries and ttys. */ + if (tok[0] == ':') + { + if (item->debug) + pam_syslog (pamh, LOG_DEBUG, + "network_netmask_match: tok=%s is X11 display", tok); + return NO; + } + if (is_device (pamh, tok)) + { + if (item->debug) + pam_syslog (pamh, LOG_DEBUG, + "network_netmask_match: tok=%s is a TTY", tok); + return NO; + } + /* - * It is either an IP address or a hostname. + * It is most likely a hostname. * Let getaddrinfo sort everything out */ if (getaddrinfo (tok, NULL, NULL, &ai) != 0) -- 2.47.0