Skip to content

Commit

Permalink
Add allowed_perm=0nnn option.
Browse files Browse the repository at this point in the history
DANGEROUS OPTION!

By default, the PAM module requires the secrets file to be readable only
by the owner of the file (mode 0600 by default). In situations where the
module is used in a non-default configuration, an administrator may need
more leanient file permissions, or a specific setting for their use
case.

This commit is pulled out of
google#542
by Philip Woolford <[email protected]>
  • Loading branch information
ThomasHabets committed May 13, 2016
1 parent 6138818 commit 1224b63
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 3 deletions.
9 changes: 9 additions & 0 deletions libpam/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,15 @@ This option can be used to allow daemons not running as root to still handle
configuration files not owned by that user, for example owned by the users
themselves.

### allowed_perm=0nnn

DANGEROUS OPTION!

By default, the PAM module requires the secrets file to be readable only by the
owner of the file (mode 0600 by default). In situations where the module is used
in a non-default configuration, an administrator may need more leanient file
permissions, or a specific setting for their use case.

### debug

Enable more verbose log messages in syslog.
Expand Down
28 changes: 25 additions & 3 deletions libpam/src/pam_google_authenticator.c
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ typedef struct Params {
int forward_pass;
int debug;
int no_strict_owner;
int allowed_perm;
} Params;

static char oom;
Expand Down Expand Up @@ -352,15 +353,24 @@ static int open_secret_file(pam_handle_t *pamh, const char *secret_filename,
return -1;
}

if (params->debug) {
log_message(LOG_INFO, pamh,
"Secret file permissions are %04o."
" Allowed permissions are %04o",
orig_stat->st_mode & 03777, params->allowed_perm);
}

// Check permissions on "~/.google_authenticator".
if (!S_ISREG(orig_stat->st_mode)) {
log_message(LOG_ERR, pamh, "Secret file \"%s\" is not a regular file",
secret_filename);
goto error;
}
if ((orig_stat->st_mode & 03577) != 0400) {
log_message(LOG_ERR, pamh, "Secret file \"%s\" is more permissive than %4o",
secret_filename, 0400);
if (orig_stat->st_mode & 03777 & ~params->allowed_perm) {
log_message(LOG_ERR, pamh,
"Secret file \"%s\" permissions (%04o)"
" are more permissive than %04o", secret_filename,
orig_stat->st_mode & 03777, params->allowed_perm);
goto error;
}

Expand Down Expand Up @@ -1394,6 +1404,17 @@ static int parse_args(pam_handle_t *pamh, int argc, const char **argv,
}
params->fixed_uid = 1;
params->uid = uid;
} else if (!memcmp(argv[i], "allowed_perm=", 13)) {
char *remainder = NULL;
int perm = (int)strtol(argv[i] + 13, &remainder, 8);
if (perm == 0 || strlen(remainder) != 0) {
log_message(LOG_ERR, pamh,
"Invalid permissions in setting \"%s\"."
" allowed_perm setting must be a positive octal integer.",
argv[i]);
return -1;
}
params->allowed_perm = perm;
} else if (!strcmp(argv[i], "no_strict_owner")) {
params->no_strict_owner = 1;
} else if (!strcmp(argv[i], "debug")) {
Expand Down Expand Up @@ -1438,6 +1459,7 @@ static int google_authenticator(pam_handle_t *pamh, int flags,

// Handle optional arguments that configure our PAM module
Params params = { 0 };
params.allowed_perm = 0600;
if (parse_args(pamh, argc, argv, &params) < 0) {
return rc;
}
Expand Down

0 comments on commit 1224b63

Please sign in to comment.