forked from saltstack/salt
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request saltstack#305 from saltstack/cve/3003.4-pam-auth-fix
CVE-2022-22967/3003.5 pam auth fix
- Loading branch information
Showing
4 changed files
with
46 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| Fixed PAM auth to reject auth attempt if user account is locked. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,3 @@ | ||
| # -*- coding: utf-8 -*- | ||
| # The pam components have been modified to be salty and have been taken from | ||
| # the pam module under this licence: | ||
| # (c) 2007 Chris AtLee <[email protected]> | ||
|
|
@@ -35,8 +34,6 @@ | |
| """ | ||
|
|
||
| # Import Python Libs | ||
| from __future__ import absolute_import, print_function, unicode_literals | ||
|
|
||
| import logging | ||
| from ctypes import ( | ||
|
|
@@ -55,13 +52,8 @@ | |
| ) | ||
| from ctypes.util import find_library | ||
|
|
||
| # Import Salt libs | ||
| import salt.utils.user | ||
|
|
||
| # Import 3rd-party libs | ||
| from salt.ext import six | ||
| from salt.ext.six.moves import range # pylint: disable=import-error,redefined-builtin | ||
|
|
||
| log = logging.getLogger(__name__) | ||
|
|
||
| try: | ||
|
|
@@ -110,7 +102,7 @@ class PamMessage(Structure): | |
| ] | ||
|
|
||
| def __repr__(self): | ||
| return "<PamMessage {0} '{1}'>".format(self.msg_style, self.msg) | ||
| return "<PamMessage {} '{}'>".format(self.msg_style, self.msg) | ||
|
|
||
|
|
||
| class PamResponse(Structure): | ||
|
|
@@ -124,7 +116,7 @@ class PamResponse(Structure): | |
| ] | ||
|
|
||
| def __repr__(self): | ||
| return "<PamResponse {0} '{1}'>".format(self.resp_retcode, self.resp) | ||
| return "<PamResponse {} '{}'>".format(self.resp_retcode, self.resp) | ||
|
|
||
|
|
||
| CONV_FUNC = CFUNCTYPE( | ||
|
|
@@ -182,11 +174,11 @@ def authenticate(username, password): | |
| """ | ||
| service = __opts__.get("auth.pam.service", "login") | ||
|
|
||
| if isinstance(username, six.text_type): | ||
| if isinstance(username, str): | ||
| username = username.encode(__salt_system_encoding__) | ||
| if isinstance(password, six.text_type): | ||
| if isinstance(password, str): | ||
| password = password.encode(__salt_system_encoding__) | ||
| if isinstance(service, six.text_type): | ||
| if isinstance(service, str): | ||
| service = service.encode(__salt_system_encoding__) | ||
|
|
||
| @CONV_FUNC | ||
|
|
@@ -217,7 +209,7 @@ def my_conv(n_messages, messages, p_response, app_data): | |
|
|
||
| retval = PAM_AUTHENTICATE(handle, 0) | ||
| if retval == 0: | ||
| PAM_ACCT_MGMT(handle, 0) | ||
| retval = PAM_ACCT_MGMT(handle, 0) | ||
| PAM_END(handle, 0) | ||
| return retval == 0 | ||
|
|
||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| import pytest | ||
| import salt.auth.pam | ||
| from tests.support.mock import patch | ||
|
|
||
| pytestmark = [ | ||
| pytest.mark.skip_on_windows, | ||
| ] | ||
|
|
||
|
|
||
| @pytest.fixture | ||
| def configure_loader_modules(): | ||
| return {salt.auth.pam: {}} | ||
|
|
||
|
|
||
| @pytest.fixture | ||
| def mock_pam(): | ||
| with patch("salt.auth.pam.CALLOC", autospec=True), patch( | ||
| "salt.auth.pam.pointer", autospec=True, | ||
| ), patch("salt.auth.pam.PamHandle", autospec=True), patch( | ||
| "salt.auth.pam.PAM_START", autospec=True, return_value=0 | ||
| ), patch( | ||
| "salt.auth.pam.PAM_AUTHENTICATE", autospec=True, return_value=0 | ||
| ), patch( | ||
| "salt.auth.pam.PAM_END", autospec=True | ||
| ): | ||
| yield | ||
|
|
||
|
|
||
| def test_cve_if_pam_acct_mgmt_returns_nonzero_authenticate_should_be_false(mock_pam): | ||
| with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=42): | ||
| assert salt.auth.pam.authenticate(username="fnord", password="fnord") is False | ||
|
|
||
|
|
||
| def test_if_pam_acct_mgmt_returns_zero_authenticate_should_be_true(mock_pam): | ||
| with patch("salt.auth.pam.PAM_ACCT_MGMT", autospec=True, return_value=0): | ||
| assert salt.auth.pam.authenticate(username="fnord", password="fnord") is True |