Bug 295151 - The "in" operator to pam_succeed_if appears to be broken
The "in" operator to pam_succeed_if appears to be broken
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
5.0
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-09-18 13:33 EDT by John T. Rose
Modified: 2010-04-07 13:19 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2008-0336
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 13:27:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Possible pam_succeed_if.c patch to actually search lists for matches (870 bytes, patch)
2007-09-23 12:18 EDT, John T. Rose
no flags Details | Diff

  None (edit)
Description John T. Rose 2007-09-18 13:33:38 EDT
Description of problem:

consider an entry like

auth sufficient /lib/security/$ISA/pam_succeed_if.so user in redhat:hat

this will succeed for user redhat and fail for user hat

switching these around like

auth sufficient /lib/security/$ISA/pam_succeed_if.so user in hat:redhat

will succeed for both user redhat and for user hat

Version-Release number of selected component (if applicable):

appears broken on both rhel4 and rhel5 (didn't check anything older than that)

How reproducible:

should be obvious from above description

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

take a look at the evaluate_inlist() function in pam_succeed_if.c and the cause
should be fairly easy to see
Comment 1 John T. Rose 2007-09-23 12:16:01 EDT
Here is a patch that seems to fix this for my case ... not sure about all other
possible uses of the operator...
Comment 2 John T. Rose 2007-09-23 12:18:33 EDT
Created attachment 203531 [details]
Possible pam_succeed_if.c patch to actually search lists for matches
Comment 3 RHEL Product and Program Management 2007-10-19 16:26:05 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 8 errata-xmlrpc 2008-05-21 13:27:09 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0336.html
Comment 9 Chris Ward 2008-06-17 11:48:42 EDT
Reminder: This bug includes the 'RHTS' QA Whiteboard Keyword. Don't forget to add
'RHTSdone' to the QA Whiteboard along with a comment describing where the RHTS
test can be found once the RHTS test has been written. Otherwise, if an RHTS
will not be created, please remove RHTS from the qa whiteboard.

Note You need to log in before you can comment on or make changes to this bug.