The Samba-Bugzilla – Attachment 2854 Details for
Bug 4831
pam_smbpass calls openlog(), can cause application segfaults
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
updated patch to switch to pam_vsyslog like pam_winbind
smbpasswd-syslog.patch (text/plain), 21.25 KB, created by
Steve Langasek
on 2007-08-06 00:56:00 UTC
(
hide
)
Description:
updated patch to switch to pam_vsyslog like pam_winbind
Filename:
MIME Type:
Creator:
Steve Langasek
Created:
2007-08-06 00:56:00 UTC
Size:
21.25 KB
patch
obsolete
>Goal: Don't call openlog() or closelog() from pam_smbpass > >Fixes: bug #434372 > >Upstream status: submitted as bugzilla bug #4831 > >Index: samba-3.0.25b/source/pam_smbpass/support.c >=================================================================== >--- samba-3.0.25b.orig/source/pam_smbpass/support.c >+++ samba-3.0.25b/source/pam_smbpass/support.c >@@ -15,6 +15,7 @@ > * Mass Ave, Cambridge, MA 02139, USA. > */ > >+ #include "config.h" > #include "includes.h" > #include "general.h" > >@@ -66,19 +67,44 @@ > > char *servicesf = dyn_CONFIGFILE; > >- /* syslogging function for errors and other information */ >- >- void _log_err( int err, const char *format, ... ) >- { >- va_list args; >+/* syslogging function for errors and other information */ >+#ifdef HAVE_PAM_VSYSLOG >+void _log_err( pam_handle_t *pamh, int err, const char *format, ... ) >+{ >+ va_list args; > >- va_start( args, format ); >- openlog( "PAM_smbpass", LOG_CONS | LOG_PID, LOG_AUTH ); >- vsyslog( err, format, args ); >- va_end( args ); >- closelog(); >+ va_start(args, format); >+ pam_vsyslog(pamh, err, format, args); >+ va_end(args); >+} >+#else >+void _log_err( pam_handle_t *pamh, int err, const char *format, ... ) >+{ >+ va_list args; >+ const char tag[] = "(pam_smbpass) "; >+ char *mod_format; >+ >+ mod_format = SMB_MALLOC_ARRAY(char, sizeof(tag) + strlen(format)); >+ /* try really, really hard to log something, since this may have >+ been a message about a malloc() failure... */ >+ if (mod_format == NULL) { >+ va_start(args, format); >+ vsyslog(err | LOG_AUTH, format, args); >+ va_end(args); >+ return; > } > >+ strncpy(mod_format, tag, strlen(tag)+1); >+ strncat(mod_format, format, strlen(format)); >+ >+ va_start(args, format); >+ vsyslog(err | LOG_AUTH, mod_format, args); >+ va_end(args); >+ >+ free(mod_format); >+} >+#endif >+ > /* this is a front-end for module-application conversations */ > > int converse( pam_handle_t * pamh, int ctrl, int nargs >@@ -95,12 +121,14 @@ > ,response, conv->appdata_ptr); > > if (retval != PAM_SUCCESS && on(SMB_DEBUG, ctrl)) { >- _log_err(LOG_DEBUG, "conversation failure [%s]" >- ,pam_strerror(pamh, retval)); >+ _log_err(pamh, LOG_DEBUG, >+ "conversation failure [%s]", >+ pam_strerror(pamh, retval)); > } > } else { >- _log_err(LOG_ERR, "couldn't obtain coversation function [%s]" >- ,pam_strerror(pamh, retval)); >+ _log_err(pamh, LOG_ERR, >+ "couldn't obtain coversation function [%s]", >+ pam_strerror(pamh, retval)); > } > > return retval; /* propagate error status */ >@@ -126,7 +154,7 @@ > > /* set the control flags for the SMB module. */ > >-int set_ctrl( int flags, int argc, const char **argv ) >+int set_ctrl( pam_handle_t *pamh, int flags, int argc, const char **argv ) > { > int i = 0; > const char *service_file = dyn_CONFIGFILE; >@@ -168,7 +196,7 @@ > /* Read some options from the Samba config. Can be overridden by > the PAM config. */ > if(lp_load(service_file,True,False,False,True) == False) { >- _log_err( LOG_ERR, "Error loading service file %s", service_file ); >+ _log_err(pamh, LOG_ERR, "Error loading service file %s", service_file); > } > > secrets_init(); >@@ -191,7 +219,7 @@ > } > > if (j >= SMB_CTRLS_) { >- _log_err( LOG_ERR, "unrecognized option [%s]", *argv ); >+ _log_err(pamh, LOG_ERR, "unrecognized option [%s]", *argv); > } else { > ctrl &= smb_args[j].mask; /* for turning things off */ > ctrl |= smb_args[j].flag; /* for turning things on */ >@@ -230,7 +258,7 @@ > * evidence of old token around for later stack analysis. > * > */ >-char * smbpXstrDup( const char *x ) >+char * smbpXstrDup( pam_handle_t *pamh, const char *x ) > { > register char *newstr = NULL; > >@@ -240,7 +268,7 @@ > for (i = 0; x[i]; ++i); /* length of string */ > if ((newstr = SMB_MALLOC_ARRAY(char, ++i)) == NULL) { > i = 0; >- _log_err( LOG_CRIT, "out of memory in smbpXstrDup" ); >+ _log_err(pamh, LOG_CRIT, "out of memory in smbpXstrDup"); > } else { > while (i-- > 0) { > newstr[i] = x[i]; >@@ -282,7 +310,7 @@ > /* log the number of authentication failures */ > if (failure->count != 0) { > pam_get_item( pamh, PAM_SERVICE, (const void **) &service ); >- _log_err( LOG_NOTICE >+ _log_err(pamh, LOG_NOTICE > , "%d authentication %s " > "from %s for service %s as %s(%d)" > , failure->count >@@ -291,7 +319,7 @@ > , service == NULL ? "**unknown**" : service > , failure->user, failure->id ); > if (failure->count > SMB_MAX_RETRIES) { >- _log_err( LOG_ALERT >+ _log_err(pamh, LOG_ALERT > , "service(%s) ignoring max retries; %d > %d" > , service == NULL ? "**unknown**" : service > , failure->count >@@ -327,8 +355,7 @@ > > if (!pdb_get_lanman_passwd(sampass)) > { >- _log_err( LOG_DEBUG, "user %s has null SMB password" >- , name ); >+ _log_err(pamh, LOG_DEBUG, "user %s has null SMB password", name); > > if (off( SMB__NONULL, ctrl ) > && (pdb_get_acct_ctrl(sampass) & ACB_PWNOTREQ)) >@@ -338,15 +365,16 @@ > const char *service; > > pam_get_item( pamh, PAM_SERVICE, (const void **)&service ); >- _log_err( LOG_NOTICE, "failed auth request by %s for service %s as %s", >- uidtoname(getuid()), service ? service : "**unknown**", name); >+ _log_err(pamh, LOG_NOTICE, >+ "failed auth request by %s for service %s as %s", >+ uidtoname(getuid()), service ? service : "**unknown**", name); > return PAM_AUTH_ERR; > } > } > > data_name = SMB_MALLOC_ARRAY(char, sizeof(FAIL_PREFIX) + strlen( name )); > if (data_name == NULL) { >- _log_err( LOG_CRIT, "no memory for data-name" ); >+ _log_err(pamh, LOG_CRIT, "no memory for data-name"); > } > strncpy( data_name, FAIL_PREFIX, sizeof(FAIL_PREFIX) ); > strncpy( data_name + sizeof(FAIL_PREFIX) - 1, name, strlen( name ) + 1 ); >@@ -392,31 +420,31 @@ > retval = PAM_MAXTRIES; > } > } else { >- _log_err(LOG_NOTICE, >+ _log_err(pamh, LOG_NOTICE, > "failed auth request by %s for service %s as %s", > uidtoname(getuid()), > service ? service : "**unknown**", name); > newauth->count = 1; > } > if (!sid_to_uid(pdb_get_user_sid(sampass), &(newauth->id))) { >- _log_err(LOG_NOTICE, >+ _log_err(pamh, LOG_NOTICE, > "failed auth request by %s for service %s as %s", > uidtoname(getuid()), > service ? service : "**unknown**", name); > } >- newauth->user = smbpXstrDup( name ); >- newauth->agent = smbpXstrDup( uidtoname( getuid() ) ); >+ newauth->user = smbpXstrDup(pamh, name); >+ newauth->agent = smbpXstrDup(pamh, uidtoname( getuid() )); > pam_set_data( pamh, data_name, newauth, _cleanup_failures ); > > } else { >- _log_err( LOG_CRIT, "no memory for failure recorder" ); >- _log_err(LOG_NOTICE, >+ _log_err(pamh, LOG_CRIT, "no memory for failure recorder"); >+ _log_err(pamh, LOG_NOTICE, > "failed auth request by %s for service %s as %s(%d)", > uidtoname(getuid()), > service ? service : "**unknown**", name); > } > } else { >- _log_err(LOG_NOTICE, >+ _log_err(pamh, LOG_NOTICE, > "failed auth request by %s for service %s as %s(%d)", > uidtoname(getuid()), > service ? service : "**unknown**", name); >@@ -490,8 +518,8 @@ > retval = pam_get_item( pamh, authtok_flag, (const void **) &item ); > if (retval != PAM_SUCCESS) { > /* very strange. */ >- _log_err( LOG_ALERT >- , "pam_get_item returned error to smb_read_password" ); >+ _log_err(pamh, LOG_ALERT, >+ "pam_get_item returned error to smb_read_password"); > return retval; > } else if (item != NULL) { /* we have a password! */ > *pass = item; >@@ -543,7 +571,7 @@ > > if (retval == PAM_SUCCESS) { /* a good conversation */ > >- token = smbpXstrDup(resp[j++].resp); >+ token = smbpXstrDup(pamh, resp[j++].resp); > if (token != NULL) { > if (expect == 2) { > /* verify that password entered correctly */ >@@ -555,7 +583,8 @@ > } > } > } else { >- _log_err(LOG_NOTICE, "could not recover authentication token"); >+ _log_err(pamh, LOG_NOTICE, >+ "could not recover authentication token"); > } > } > >@@ -568,7 +597,7 @@ > > if (retval != PAM_SUCCESS) { > if (on( SMB_DEBUG, ctrl )) >- _log_err( LOG_DEBUG, "unable to obtain a password" ); >+ _log_err(pamh, LOG_DEBUG, "unable to obtain a password"); > return retval; > } > /* 'token' is the entered password */ >@@ -583,7 +612,7 @@ > || (retval = pam_get_item( pamh, authtok_flag > ,(const void **)&item )) != PAM_SUCCESS) > { >- _log_err( LOG_CRIT, "error manipulating password" ); >+ _log_err(pamh, LOG_CRIT, "error manipulating password"); > return retval; > } > } else { >@@ -597,8 +626,8 @@ > || (retval = pam_get_data( pamh, data_name, (const void **)&item )) > != PAM_SUCCESS) > { >- _log_err( LOG_CRIT, "error manipulating password data [%s]" >- , pam_strerror( pamh, retval )); >+ _log_err(pamh, LOG_CRIT, "error manipulating password data [%s]", >+ pam_strerror( pamh, retval )); > _pam_delete( token ); > item = NULL; > return retval; >@@ -622,8 +651,8 @@ > if (pass_new == NULL || (pass_old && !strcmp( pass_old, pass_new ))) > { > if (on(SMB_DEBUG, ctrl)) { >- _log_err( LOG_DEBUG, >- "passwd: bad authentication token (null or unchanged)" ); >+ _log_err(pamh, LOG_DEBUG, >+ "passwd: bad authentication token (null or unchanged)"); > } > make_remark( pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ? > "No password supplied" : "Password unchanged" ); >Index: samba-3.0.25b/source/pam_smbpass/pam_smb_auth.c >=================================================================== >--- samba-3.0.25b.orig/source/pam_smbpass/pam_smb_auth.c >+++ samba-3.0.25b/source/pam_smbpass/pam_smb_auth.c >@@ -75,10 +75,9 @@ > > /* Samba initialization. */ > load_case_tables(); >- setup_logging("pam_smbpass",False); > in_client = True; > >- ctrl = set_ctrl(flags, argc, argv); >+ ctrl = set_ctrl(pamh, flags, argc, argv); > > /* Get a few bytes so we can pass our return value to > pam_sm_setcred(). */ >@@ -93,23 +92,23 @@ > retval = pam_get_user( pamh, &name, "Username: " ); > if ( retval != PAM_SUCCESS ) { > if (on( SMB_DEBUG, ctrl )) { >- _log_err(LOG_DEBUG, "auth: could not identify user"); >+ _log_err(pamh, LOG_DEBUG, "auth: could not identify user"); > } > AUTH_RETURN; > } > if (on( SMB_DEBUG, ctrl )) { >- _log_err( LOG_DEBUG, "username [%s] obtained", name ); >+ _log_err(pamh, LOG_DEBUG, "username [%s] obtained", name); > } > > if (!initialize_password_db(True)) { >- _log_err( LOG_ALERT, "Cannot access samba password database" ); >+ _log_err(pamh, LOG_ALERT, "Cannot access samba password database"); > retval = PAM_AUTHINFO_UNAVAIL; > AUTH_RETURN; > } > > sampass = samu_new( NULL ); > if (!sampass) { >- _log_err( LOG_ALERT, "Cannot talloc a samu struct" ); >+ _log_err(pamh, LOG_ALERT, "Cannot talloc a samu struct"); > retval = nt_status_to_pam(NT_STATUS_NO_MEMORY); > AUTH_RETURN; > } >@@ -123,7 +122,7 @@ > } > > if (!found) { >- _log_err(LOG_ALERT, "Failed to find entry for user %s.", name); >+ _log_err(pamh, LOG_ALERT, "Failed to find entry for user %s.", name); > retval = PAM_USER_UNKNOWN; > TALLOC_FREE(sampass); > sampass = NULL; >@@ -142,7 +141,7 @@ > > retval = _smb_read_password(pamh, ctrl, NULL, "Password: ", NULL, _SMB_AUTHTOK, &p); > if (retval != PAM_SUCCESS ) { >- _log_err(LOG_CRIT, "auth: no password provided for [%s]", name); >+ _log_err(pamh,LOG_CRIT, "auth: no password provided for [%s]", name); > TALLOC_FREE(sampass); > AUTH_RETURN; > } >@@ -194,8 +193,8 @@ > retval = pam_get_item( pamh, PAM_AUTHTOK, (const void **) &pass ); > > if (retval != PAM_SUCCESS) { >- _log_err( LOG_ALERT >- , "pam_get_item returned error to pam_sm_authenticate" ); >+ _log_err(pamh, LOG_ALERT, >+ "pam_get_item returned error to pam_sm_authenticate"); > return PAM_AUTHTOK_RECOVER_ERR; > } else if (pass == NULL) { > return PAM_AUTHTOK_RECOVER_ERR; >Index: samba-3.0.25b/source/pam_smbpass/pam_smb_acct.c >=================================================================== >--- samba-3.0.25b.orig/source/pam_smbpass/pam_smb_acct.c >+++ samba-3.0.25b/source/pam_smbpass/pam_smb_acct.c >@@ -52,29 +52,28 @@ > > /* Samba initialization. */ > load_case_tables(); >- setup_logging( "pam_smbpass", False ); > in_client = True; > >- ctrl = set_ctrl( flags, argc, argv ); >+ ctrl = set_ctrl(pamh, flags, argc, argv); > > /* get the username */ > > retval = pam_get_user( pamh, &name, "Username: " ); > if (retval != PAM_SUCCESS) { > if (on( SMB_DEBUG, ctrl )) { >- _log_err( LOG_DEBUG, "acct: could not identify user" ); >+ _log_err(pamh, LOG_DEBUG, "acct: could not identify user"); > } > return retval; > } > if (on( SMB_DEBUG, ctrl )) { >- _log_err( LOG_DEBUG, "acct: username [%s] obtained", name ); >+ _log_err(pamh, LOG_DEBUG, "acct: username [%s] obtained", name); > } > > /* Getting into places that might use LDAP -- protect the app > from a SIGPIPE it's not expecting */ > oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); > if (!initialize_password_db(True)) { >- _log_err( LOG_ALERT, "Cannot access samba password database" ); >+ _log_err(pamh, LOG_ALERT, "Cannot access samba password database"); > CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); > return PAM_AUTHINFO_UNAVAIL; > } >@@ -88,7 +87,7 @@ > } > > if (!pdb_getsampwnam(sampass, name )) { >- _log_err( LOG_DEBUG, "acct: could not identify user" ); >+ _log_err(pamh, LOG_DEBUG, "acct: could not identify user"); > CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); > return PAM_USER_UNKNOWN; > } >@@ -101,8 +100,8 @@ > > if (pdb_get_acct_ctrl(sampass) & ACB_DISABLED) { > if (on( SMB_DEBUG, ctrl )) { >- _log_err( LOG_DEBUG >- , "acct: account %s is administratively disabled", name ); >+ _log_err(pamh, LOG_DEBUG, >+ "acct: account %s is administratively disabled", name); > } > make_remark( pamh, ctrl, PAM_ERROR_MSG > , "Your account has been disabled; " >Index: samba-3.0.25b/source/pam_smbpass/pam_smb_passwd.c >=================================================================== >--- samba-3.0.25b.orig/source/pam_smbpass/pam_smb_passwd.c >+++ samba-3.0.25b/source/pam_smbpass/pam_smb_passwd.c >@@ -104,10 +104,9 @@ > > /* Samba initialization. */ > load_case_tables(); >- setup_logging( "pam_smbpass", False ); > in_client = True; > >- ctrl = set_ctrl(flags, argc, argv); >+ ctrl = set_ctrl(pamh, flags, argc, argv); > > /* > * First get the name of a user. No need to do anything if we can't >@@ -117,12 +116,12 @@ > retval = pam_get_user( pamh, &user, "Username: " ); > if (retval != PAM_SUCCESS) { > if (on( SMB_DEBUG, ctrl )) { >- _log_err( LOG_DEBUG, "password: could not identify user" ); >+ _log_err(pamh, LOG_DEBUG, "password: could not identify user"); > } > return retval; > } > if (on( SMB_DEBUG, ctrl )) { >- _log_err( LOG_DEBUG, "username [%s] obtained", user ); >+ _log_err(pamh, LOG_DEBUG, "username [%s] obtained", user); > } > > /* Getting into places that might use LDAP -- protect the app >@@ -130,7 +129,7 @@ > oldsig_handler = CatchSignal(SIGPIPE, SIGNAL_CAST SIG_IGN); > > if (!initialize_password_db(False)) { >- _log_err( LOG_ALERT, "Cannot access samba password database" ); >+ _log_err(pamh, LOG_ALERT, "Cannot access samba password database"); > CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); > return PAM_AUTHINFO_UNAVAIL; > } >@@ -142,12 +141,12 @@ > } > > if (!pdb_getsampwnam(sampass,user)) { >- _log_err( LOG_ALERT, "Failed to find entry for user %s.", user ); >+ _log_err(pamh, LOG_ALERT, "Failed to find entry for user %s.", user); > CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); > return PAM_USER_UNKNOWN; > } > if (on( SMB_DEBUG, ctrl )) { >- _log_err( LOG_DEBUG, "Located account for %s", user ); >+ _log_err(pamh, LOG_DEBUG, "Located account for %s", user); > } > > if (flags & PAM_PRELIM_CHECK) { >@@ -173,7 +172,7 @@ > #define greeting "Changing password for " > Announce = SMB_MALLOC_ARRAY(char, sizeof(greeting)+strlen(user)); > if (Announce == NULL) { >- _log_err(LOG_CRIT, "password: out of memory"); >+ _log_err(pamh, LOG_CRIT, "password: out of memory"); > TALLOC_FREE(sampass); > CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); > return PAM_BUF_ERR; >@@ -188,8 +187,8 @@ > SAFE_FREE( Announce ); > > if (retval != PAM_SUCCESS) { >- _log_err( LOG_NOTICE >- , "password - (old) token not obtained" ); >+ _log_err(pamh, LOG_NOTICE, >+ "password - (old) token not obtained"); > TALLOC_FREE(sampass); > CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); > return retval; >@@ -234,7 +233,7 @@ > } > > if (retval != PAM_SUCCESS) { >- _log_err( LOG_NOTICE, "password: user not authenticated" ); >+ _log_err(pamh, LOG_NOTICE, "password: user not authenticated"); > TALLOC_FREE(sampass); > CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); > return retval; >@@ -259,8 +258,8 @@ > > if (retval != PAM_SUCCESS) { > if (on( SMB_DEBUG, ctrl )) { >- _log_err( LOG_ALERT >- , "password: new password not obtained" ); >+ _log_err(pamh, LOG_ALERT, >+ "password: new password not obtained"); > } > pass_old = NULL; /* tidy up */ > TALLOC_FREE(sampass); >@@ -281,7 +280,7 @@ > retval = _pam_smb_approve_pass(pamh, ctrl, pass_old, pass_new); > > if (retval != PAM_SUCCESS) { >- _log_err(LOG_NOTICE, "new password not acceptable"); >+ _log_err(pamh, LOG_NOTICE, "new password not acceptable"); > pass_new = pass_old = NULL; /* tidy up */ > TALLOC_FREE(sampass); > CatchSignal(SIGPIPE, SIGNAL_CAST oldsig_handler); >@@ -301,16 +300,17 @@ > > /* password updated */ > if (!sid_to_uid(pdb_get_user_sid(sampass), &uid)) { >- _log_err( LOG_NOTICE, "Unable to get uid for user %s", >+ _log_err(pamh, LOG_NOTICE, >+ "Unable to get uid for user %s", > pdb_get_username(sampass)); >- _log_err( LOG_NOTICE, "password for (%s) changed by (%s/%d)", >+ _log_err(pamh, LOG_NOTICE, "password for (%s) changed by (%s/%d)", > user, uidtoname(getuid()), getuid()); > } else { >- _log_err( LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)", >+ _log_err(pamh, LOG_NOTICE, "password for (%s/%d) changed by (%s/%d)", > user, uid, uidtoname(getuid()), getuid()); > } > } else { >- _log_err( LOG_ERR, "password change failed for user %s", user); >+ _log_err(pamh, LOG_ERR, "password change failed for user %s", user); > } > > pass_old = pass_new = NULL; >@@ -321,7 +321,7 @@ > > } else { /* something has broken with the library */ > >- _log_err( LOG_ALERT, "password received unknown request" ); >+ _log_err(pamh, LOG_ALERT, "password received unknown request"); > retval = PAM_ABORT; > > } >Index: samba-3.0.25b/source/pam_smbpass/support.h >=================================================================== >--- samba-3.0.25b.orig/source/pam_smbpass/support.h >+++ samba-3.0.25b/source/pam_smbpass/support.h >@@ -1,8 +1,8 @@ > /* syslogging function for errors and other information */ >-extern void _log_err(int, const char *, ...); >+extern void _log_err(pam_handle_t *, int, const char *, ...); > > /* set the control flags for the UNIX module. */ >-extern int set_ctrl(int, int, const char **); >+extern int set_ctrl(pam_handle_t *, int, int, const char **); > > /* generic function for freeing pam data segments */ > extern void _cleanup(pam_handle_t *, void *, int); >@@ -12,7 +12,7 @@ > * evidence of old token around for later stack analysis. > */ > >-extern char *smbpXstrDup(const char *); >+extern char *smbpXstrDup(pam_handle_t *,const char *); > > /* ************************************************************** * > * Useful non-trivial functions *
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2854">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 4831
:
2845
| 2854