debian/0000755000000000000000000000000012221253700007160 5ustar debian/compat0000644000000000000000000000000211235100757010365 0ustar 7 debian/patches/0000755000000000000000000000000011373525067010626 5ustar debian/patches/0001-make-sure-we-don-t-overflow-the-data-buffer.patch0000644000000000000000000000106111373523771022341 0ustar From: Nicolas Boullis Date: Mon, 23 Mar 2009 10:46:44 +0100 Subject: [PATCH] make sure we don't overflow the data buffer --- cc_db.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/cc_db.c b/cc_db.c index c0e0488..9371c4d 100644 --- a/cc_db.c +++ b/cc_db.c @@ -199,7 +199,7 @@ int pam_cc_db_get(void *_db, const char *keyname, size_t keylength, return (rc == DB_NOTFOUND) ? PAM_AUTHINFO_UNAVAIL : PAM_SERVICE_ERR; } - if (val.size < *size) { + if (val.size > *size) { return PAM_BUF_ERR; } -- debian/patches/series0000644000000000000000000000013111373525067012036 0ustar 0001-make-sure-we-don-t-overflow-the-data-buffer.patch 0002-add-minimum_uid-option.patch debian/patches/0002-add-minimum_uid-option.patch0000644000000000000000000000535511373525067016606 0ustar From: =?UTF-8?q?Guido=20G=C3=BCnther?= Date: Thu, 13 May 2010 12:36:26 +0200 Subject: [PATCH] add minimum_uid option Closes: #580037 --- cc_pam.c | 39 +++++++++++++++++++++++++++++++++++++++ 1 files changed, 39 insertions(+), 0 deletions(-) diff --git a/cc_pam.c b/cc_pam.c index d096117..56776aa 100644 --- a/cc_pam.c +++ b/cc_pam.c @@ -20,6 +20,7 @@ #include #include #include +#include #include "cc_private.h" @@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv); #endif + +/* + * Given the PAM arguments and the user we're authenticating, see if we should + * ignore that user because they're root or have a low-numbered UID and we + * were configured to ignore such users. Returns true if we should ignore + * them, false otherwise. + */ +static int +_pamcc_should_ignore(const char *username, int minimum_uid) +{ + struct passwd *pwd; + + if (minimum_uid > 0) { + pwd = getpwnam(username); + if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) { + syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)", + (unsigned long) pwd->pw_uid, minimum_uid); + return 1; + } + } + return 0; +} + + static int _pam_sm_interact(pam_handle_t *pamh, int flags, const char **authtok) @@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, unsigned int sm_flags = 0, sm_action = 0; const char *ccredsfile = NULL; const char *action = NULL; + const char *name = NULL; int (*selector)(pam_handle_t *, int, unsigned int, const char *); + int minimum_uid = 0; for (i = 0; i < argc; i++) { if (strcmp(argv[i], "use_first_pass") == 0) @@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, sm_flags |= SM_FLAGS_TRY_FIRST_PASS; else if (strcmp(argv[i], "service_specific") == 0) sm_flags |= SM_FLAGS_SERVICE_SPECIFIC; + else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0) + minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1); else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0) ccredsfile = argv[i] + sizeof("ccredsfile=") - 1; else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0) @@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action); } + rc = pam_get_user(pamh, &name, NULL); + if (rc != PAM_SUCCESS || name == NULL) { + if (rc == PAM_CONV_AGAIN) + return PAM_INCOMPLETE; + else + return PAM_SERVICE_ERR; + } + if (_pamcc_should_ignore(name, minimum_uid)) + return PAM_USER_UNKNOWN; + switch (sm_action) { case SM_ACTION_VALIDATE_CCREDS: selector = _pam_sm_validate_cached_credentials; -- debian/rules0000755000000000000000000000153011373525114010247 0ustar #!/usr/bin/make -f include /usr/share/cdbs/1/rules/debhelper.mk include /usr/share/cdbs/1/class/autotools.mk DEB_FIXPERMS_EXCLUDE=/sbin/ccreds_chkpwd DEB_CONFIGURE_EXTRA_FLAGS := \ --host=$(DEB_HOST_GNU_TYPE) \ --build=$(DEB_BUILD_GNU_TYPE) \ --prefix=/usr \ --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info\ --sbindir=/sbin \ --libdir=/lib \ --enable-gcrypt binary-install/libpam-ccreds:: chown root:root debian/libpam-ccreds/sbin/ccreds_chkpwd chmod 4755 debian/libpam-ccreds/sbin/ccreds_chkpwd mkdir -p debian/libpam-ccreds/usr/share/pam-configs install -m 0644 debian/libpam-ccreds.pam-auth-update.ccreds-save \ debian/libpam-ccreds/usr/share/pam-configs/ccreds-save install -m 0644 debian/libpam-ccreds.pam-auth-update.ccreds-check \ debian/libpam-ccreds/usr/share/pam-configs/ccreds-check debian/copyright0000644000000000000000000000217211235100757011124 0ustar This package was debianized by Guido Guenther on Tue, 5 Apr 2005 12:47:13 +0200. It was downloaded from http://www.padl.com/OSS/pam_ccreds.html Upstream Author: Luke Howard Copyright: (c) 2004 PADL Software Pty Ltd. (c) W. Michael Petullo, 2005. License: This package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This package is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this package; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, N: MA 02110-1301, USA. On Debian systems, the complete text of the GNU General Public License can be found in `/usr/share/common-licenses/GPL'. debian/docs0000644000000000000000000000000711235100757010037 0ustar README debian/changelog0000644000000000000000000001364312221253675011054 0ustar libpam-ccreds (10-6) unstable; urgency=low * [2baa623] We don't need automake nor autoconf to build. Closes; #724409 -- Guido Günther Fri, 27 Sep 2013 12:02:37 +0200 libpam-ccreds (10-5) unstable; urgency=low * upload to unstable -- Guido Günther Thu, 03 Jun 2010 10:30:49 +0200 libpam-ccreds (10-4) experimental; urgency=low * [e6358e9] New patch 0002-add-minimum_uid-option.patch add minimum_uid option (Closes: #580037) * [fcec739] Use minimum_uid argument within pam-auth-update * [5ce84cf] Swith to 3.0 (quilt) format -- Guido Günther Sat, 15 May 2010 16:08:26 +0200 libpam-ccreds (10-3) experimental; urgency=low * [3baec2f] Bump standards version * [40c1049] Add pam-auth-update-support by Steve Langasek (Closes: #566718) - thanks to Petter Reinholdtsen for forwarding the patch -- Guido Günther Thu, 13 May 2010 11:59:35 +0200 libpam-ccreds (10-2) unstable; urgency=low * [e85a2c3] switch to debhelper version 7 * [95d5160] exclude ccreds_chkpwd from dh_fixperms (Closes: #539446) * [9cd4ac6] fix lintian overrides file name * [ae51eb3] revert direct source code changes in preparation for new source format * [026a04d] bump standards version -- Guido Günther Sat, 01 Aug 2009 19:59:50 +0200 libpam-ccreds (10-1) unstable; urgency=low * [5d11679] debian/control: add Vcs-{Git,Browser} * [c42e688] debian/control: change section to admin * [985bc43] Imported Upstream version 9 * [0a8a249] Imported Upstream version 10 * [3352d79] debian/watch: allow multiple digits in version * [f2275de] drop 0002-don-t-store-validate-with-empty-passwords.patch applied upstream -- Guido Günther Fri, 03 Apr 2009 09:30:20 +0200 libpam-ccreds (8-2) unstable; urgency=low * [fe5bd17] switch to use patch-queue branch * [3229bcf] fix maintainer * [d18559b] update copyright information * [6127e04] bump standards version * [4239196] switch to cdbs * [68363cf] don't store/validate with empty passwords (Closes: #519944) -- Guido Günther Wed, 25 Mar 2009 22:30:54 +0100 libpam-ccreds (8-1) unstable; urgency=low * New Upstream Version -- Guido Guenther Fri, 07 Dec 2007 09:42:32 +0100 libpam-ccreds (7-2) unstable; urgency=low * add watch file * add Homepage: -- Guido Guenther Wed, 28 Nov 2007 09:37:57 +0100 libpam-ccreds (7-1) unstable; urgency=low * New Upstream Version * drop 01_use-gcrypt.diff - applied upstream * drop unneeded acconfig.h -- Guido Guenther Mon, 05 Nov 2007 20:00:30 +0100 libpam-ccreds (5-2) unstable; urgency=low * 01-use_gcrypt.diff: make openssl/gcrypt usage selectable via ./configure -- Guido Guenther Mon, 05 Nov 2007 18:37:26 +0100 libpam-ccreds (5-1) unstable; urgency=low * New upstream version * drop 00_chkpwd.diff, 02_fix-db3-build.diff, 03_cc_dump-print-help.diff applied upstream -- Guido Guenther Sun, 28 Oct 2007 11:36:16 +0100 libpam-ccreds (4-3) unstable; urgency=low * Add a setuid ccreds_chkpwd binary to allow non root programs to verify the password. Patch based on http://bugzilla.padl.com/show_bug.cgi?id=227 with numerous cleanups. (Closes: #358818) -- Guido Guenther Fri, 26 Oct 2007 16:31:09 +0200 libpam-ccreds (4-2) unstable; urgency=low * build against libdb4.6-dev (Closes: #442660) * Bump standards version to 3.7.2 * drop 03_am-maintainer-mode.dpatch * switch from dpatch to quilt and refresh the patches * cc_dump: add "-h" to print help -- Guido Guenther Sun, 30 Sep 2007 17:16:06 +0200 libpam-ccreds (4-1) unstable; urgency=low * New Upstream Version (Closes: #398482) * remove autogenerated files from the package -- Guido Guenther Tue, 14 Nov 2006 09:25:16 +0100 libpam-ccreds (3-2) unstable; urgency=low * rework the patch/autoreconf logic a bit so we don't depend on the configure's timestamp (Closes: #364664) -- Guido Guenther Wed, 26 Apr 2006 21:31:25 +0200 libpam-ccreds (3-1) unstable; urgency=low * New upstream version that allows us to drop these patches: - 03_fix-cc_test-minus-arg.dpatch - 04_pam-ccreds-dump-last-char.dpatch - 05_pam-ccreds-no-first-pass.dpatch - 07_fix_example.dpatch * update ./missing so autreconf works as expected -- Guido Guenther Sun, 23 Apr 2006 16:45:58 +0200 libpam-ccreds (1-6) unstable; urgency=low * fix example pam.conf: let's fail properly after a bad password -- Guido Guenther Fri, 3 Mar 2006 15:25:27 +0100 libpam-ccreds (1-5) unstable; urgency=low * add 06_db_get_dont_overflow_buffer: fix data buffer size check (by Nicolas Boullis ) -- Guido Guenther Thu, 29 Sep 2005 00:06:34 +0200 libpam-ccreds (1-4) unstable; urgency=low * add 03_fix-cc_test-minus-arg.dpatch (Closes: #329301) * add 04_pam-ccreds-dump-last-char.dpatch: fix off by one error when printing the hashes (by Nicolas Boullis ) * add 05_pam-ccreds-no-first-pass.dpatch: behave sanely when neither try_first_pass nor use_first_pass was given (by Nicolas Boullis ) * bump standards version to 3.6.2 (no source changes) -- Guido Guenther Thu, 22 Sep 2005 12:08:25 +0200 libpam-ccreds (1-3) unstable; urgency=low * add 02_fix-db3-build.dpatch -- Guido Guenther Thu, 21 Apr 2005 12:23:38 +0200 libpam-ccreds (1-2) unstable; urgency=low * build-depend on dpatch * fix build with db3 -- Guido Guenther Thu, 21 Apr 2005 11:27:01 +0200 libpam-ccreds (1-1) unstable; urgency=low * Initial release (Closes: #303240) * patch to use gcrypt11 instead of openssl -- Guido Guenther Thu, 7 Apr 2005 23:08:51 +0200 debian/libpam-ccreds.pam-auth-update.ccreds-save0000644000000000000000000000024111373525114017006 0ustar Name: Ccreds credential caching - password saving Default: yes Priority: 512 Auth-Type: Additional Auth: optional pam_ccreds.so minimum_uid=1000 action=store debian/libpam-ccreds.prerm0000644000000000000000000000017311372732771012755 0ustar #!/bin/sh set -e if [ "$1" = remove ]; then pam-auth-update --package --remove ccreds-check ccreds-save fi #DEBHELPER# debian/watch0000644000000000000000000000044111235100757010217 0ustar # Example watch control file for uscan # Rename this file to "watch" and then you can run the "uscan" command # to check for upstream updates and more. # See uscan(1) for format # Compulsory line, this is a version 3 file version=3 http://www.padl.com/download/pam_ccreds-(\d+)\.tar\.gz debian/libpam-ccreds.postinst0000644000000000000000000000007211372732771013511 0ustar #!/bin/sh set -e pam-auth-update --package #DEBHELPER# debian/control0000644000000000000000000000157012221253535010574 0ustar Source: libpam-ccreds Section: admin Priority: extra Maintainer: Guido Günther Build-Depends: debhelper (>= 7), autotools-dev, libgcrypt11-dev, libpam0g-dev, libdb-dev, cdbs Standards-Version: 3.8.4 Homepage: http://www.padl.com/OSS/pam_ccreds.html Vcs-Browser: http://git.debian.org/?p=users/agx/libpam-ccreds.git Vcs-Git: git://git.debian.org/users/agx/libpam-ccreds.git Package: libpam-ccreds Architecture: any Depends: ${shlibs:Depends}, ${misc:Depends} Suggests: nss-updatedb Description: Pam module to cache authentication credentials This package provides the means for Linux workstations to locally authenticate using an enterprise identity when the network is unavailable. Used in conjunction with the nss_updatedb utility, it provides a mechanism for disconnected use of network directories. They are designed to work with libpam-ldap and libnss-ldap. debian/libpam-ccreds.pam-auth-update.ccreds-check0000644000000000000000000000040211373525114017124 0ustar Name: Ccreds credential caching - password checking Default: yes Priority: 0 Auth-Type: Primary Auth: [success=end default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass [default=ignore] pam_ccreds.so minimum_uid=1000 action=update debian/libpam-ccreds.examples0000644000000000000000000000001111235100757013424 0ustar pam.conf debian/libpam-ccreds.lintian-overrides0000644000000000000000000000016311235100757015254 0ustar # yes, we know it's suid, that's the whole point... libpam-ccreds: setuid-binary sbin/ccreds_chkpwd 4755 root/root debian/dirs0000644000000000000000000000002611235100757010051 0ustar usr/sbin lib/security debian/source/0000755000000000000000000000000011373525321010470 5ustar debian/source/format0000644000000000000000000000001411373525321011676 0ustar 3.0 (quilt) debian/install0000644000000000000000000000004411235100757010556 0ustar cc_dump /usr/sbin cc_test /usr/sbin