PAM authentication bug?
Denys Vlasenko
vda.linux at googlemail.com
Mon Sep 3 04:36:57 PDT 2007
Hi John,
On Sunday 02 September 2007 01:39, John Gumb wrote:
> Looks like there's a bug in loginutils/login.c if PAM authentication is
> enabled.
>
> Symptoms are that if a valid username is entered with an incorrect
> password then the user is allowed to log in.
>
> Problem is if pam authentication fails the code just goes on to do a
> getpwnam(username) which will succeed so long as the username is valid.
> In the authentication failure case we need to goto auth_failed.
>
> --- loginutils/login.c.orig 2007-09-02 00:50:09.000000000 +0100
> +++ loginutils/login.c 2007-09-02 00:50:58.000000000 +0100
> @@ -324,6 +324,11 @@
> }
> safe_strncpy(username, pamuser,
> sizeof(username));
> }
> + else
> + {
> + goto auth_failed;
> + }
> +
> /* If we get here, the user was authenticated, and is
> * granted access. */
> pw = getpwnam(username);
>
> seems to fix it.
PAM login support is new.
Thanks for spotting this bug. Can you test attached patch?
--
vda
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 4.patch
Type: text/x-diff
Size: 2101 bytes
Desc: not available
Url : http://busybox.net/lists/busybox/attachments/20070903/f6b27f11/attachment.bin
More information about the busybox
mailing list