Config file support #326
Config file support #326
Conversation
|
dacav
force-pushed
the
dacav/config_file
branch
2 times, most recently
from
611e678 to
257c433
Compare
dacav
force-pushed
the
dacav/config_file
branch
2 times, most recently
from
81fb36f to
e9d2621
Compare
dacav
force-pushed
the
dacav/config_file
branch
2 times, most recently
from
3b245e0 to
5365c0d
Compare
dacav
force-pushed
the
dacav/config_file
branch
from
5365c0d to
98fdb4d
Compare
Current situation:What is left to do for the current PR (soon follow-up):
|
dacav
force-pushed
the
dacav/config_file
branch
6 times, most recently
from
0adeda2 to
a6e93f3
Compare
|
Oh no. I figured out this even more work! Autoconf BUG (?)
This is a little pathological (maybe low prio?) but actually a defect. Vulnerable for untidy sysadmin:Currently my code is checking that the configuration file (1) belongs to root, (2) can only be written by root, (3) is not a symlink. But I'm not checking the status of the above directories... Therefore, assuming that [1] world-writable directory Attack: |
dacav
force-pushed
the
dacav/config_file
branch
2 times, most recently
from
36e1255 to
58e0177
Compare
dacav
force-pushed
the
dacav/config_file
branch
3 times, most recently
from
9d2c5d1 to
f90d66a
Compare
dacav
force-pushed
the
dacav/config_file
branch
from
f90d66a to
3a0ebb6
Compare
Having it into another module will prevent the code from being messy later. The parsing procedure is taken verbatim: no semantic change, no behavioural change.
The configuration file defines the default behaviour of pam_u2f. Individual module invocations under /etc/pam.d can override settings. The file-system location of the config file is by default $sysconfdir/security/pam_u2f.conf, where $sysconfdir is supplied at build time. A new module configuration, "conf=", allows to override it at runtime. Only absolute paths are accepted.
- split-input format: add trailing blob for config file The corpus needs some update. - wrappers (-Wl,--wrap) integrate fuzzing of the configuration file. The configuration file, mutated by the fuzzer, is made available to the cfg.c implementation. The mock-up works under the assumption that only the cfg.c module works by opening "/" with open(3), and follows up with an alternation of openat(3) and fstat(3) calls.
Generate pam_u2f.8.txt from pam_u2f.8.txt.in, replacing SCONFDIR
dacav
force-pushed
the
dacav/config_file
branch
from
3a0ebb6 to
6faab0d
Compare
|
Rebased on current |
| // | ||
| // On success returns PAM_SUCCESS | ||
| // On failure returns PAM_SERVICE_ERR and sets errno to indicate the error. | ||
| static int open_safely(int *outfd, size_t *outsize, const char *path) { |
There was a problem hiding this comment.
I'm not a huge fan of using errno this way. It appears we only need to be able to discern ENOENT, success, and a generic error for everything else. What about returning -ENOENT, a non-negative integer (fd), and -EINVAL respectively instead of the PAM_* value?
There was a problem hiding this comment.
The idea behind this is to use PAM_* error codes consistently everywhere for error handling.
It is feasible to do as you suggest, but that would be the only function that does error checking differently.
If that is in your opinion more beautiful than writing errno, then I can comply with your request. Please let me know :-)
There was a problem hiding this comment.
I believe we have several other functions that return 0 or 1 or some other error code, I'd rather use "internal" return values for these internal functions, we only really need to concern ourselves with PAM_ return values for functions that set retval in pam_sm_authenticate()
| len = strlen(path); | ||
| if (!len || path[0] != '/' || path[len - 1] == '/') { | ||
| errno = EINVAL; | ||
| return PAM_SERVICE_ERR; | ||
| } |
There was a problem hiding this comment.
Wouldn't *path != '/' suffice? S_ISREG should catch trying to open up a directory.
There was a problem hiding this comment.
Correct.
A left-over from previous iteration (path security) where I used strtok_r to split string on /.
On such situation this was a corner case to check.
| if (fd == -1) | ||
| return PAM_SERVICE_ERR; | ||
|
|
||
| if (fstat(fd, &st)) |
There was a problem hiding this comment.
I'd prefer to be explicit here with fstat(fd, &st) != 0.
| if (strncmp(argv[i], "conf=", strlen("conf=")) == 0) | ||
| continue; | ||
|
|
There was a problem hiding this comment.
Since cfg_load_arg() does not handle conf=, should we just drop this short circuiting?
| #include <stdio.h> | ||
|
|
||
| #define CFG_DEFAULT_PATH (SCONFDIR "/pam_u2f.conf") | ||
| #define CFG_MAX_FILE_SIZE 4096 // Arbitrary |
There was a problem hiding this comment.
When I see a constant, my first thought is "why not double or half that amount"?
Anyway... OK. 😁 no strong opinion.
There was a problem hiding this comment.
No strong opinions from my side either, I just don't get that much more information from this comment :)
| A configuration file can be used to set the default | ||
| <<moduleArguments,module arguments>>. | ||
|
|
||
| The file has a `name = value` format, with comments starting with the `#` |
There was a problem hiding this comment.
This section reads like a list, but is not a list, should we rephrase or add bullet points?
(same comment for man pages. as an additional follow up, we might want to consider a pam_u2f.conf.5)
Fixes #265