Bug 295151 - The "in" operator to pam_succeed_if appears to be broken
Summary: The "in" operator to pam_succeed_if appears to be broken
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2007-09-18 17:33 UTC by John T. Rose
Modified: 2010-04-07 17:19 UTC (History)
1 user (show)

Clone Of:
Last Closed: 2008-05-21 17:27:09 UTC

Attachments (Terms of Use)
Possible pam_succeed_if.c patch to actually search lists for matches (870 bytes, patch)
2007-09-23 16:18 UTC, John T. Rose
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0336 normal SHIPPED_LIVE pam bug fix, and enhancement update 2008-05-20 13:23:47 UTC

Description John T. Rose 2007-09-18 17:33:38 UTC
Description of problem:

consider an entry like

auth sufficient /lib/security/$ISA/pam_succeed_if.so user in redhat:hat

this will succeed for user redhat and fail for user hat

switching these around like

auth sufficient /lib/security/$ISA/pam_succeed_if.so user in hat:redhat

will succeed for both user redhat and for user hat

Version-Release number of selected component (if applicable):

appears broken on both rhel4 and rhel5 (didn't check anything older than that)

How reproducible:

should be obvious from above description

Steps to Reproduce:
Actual results:

Expected results:

Additional info:

take a look at the evaluate_inlist() function in pam_succeed_if.c and the cause
should be fairly easy to see

Comment 1 John T. Rose 2007-09-23 16:16:01 UTC
Here is a patch that seems to fix this for my case ... not sure about all other
possible uses of the operator...

Comment 2 John T. Rose 2007-09-23 16:18:33 UTC
Created attachment 203531 [details]
Possible pam_succeed_if.c patch to actually search lists for matches

Comment 3 RHEL Product and Program Management 2007-10-19 20:26:05 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 8 errata-xmlrpc 2008-05-21 17:27:09 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Comment 9 Chris Ward 2008-06-17 15:48:42 UTC
Reminder: This bug includes the 'RHTS' QA Whiteboard Keyword. Don't forget to add
'RHTSdone' to the QA Whiteboard along with a comment describing where the RHTS
test can be found once the RHTS test has been written. Otherwise, if an RHTS
will not be created, please remove RHTS from the qa whiteboard.

Note You need to log in before you can comment on or make changes to this bug.