Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Config file support #326

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Config file support #326

wants to merge 6 commits into from

Conversation

dacav
Copy link
Contributor

@dacav dacav commented Dec 13, 2024

Fixes #265

@dacav dacav requested a review from LDVG December 13, 2024 15:08
@dacav dacav self-assigned this Dec 13, 2024
@dacav dacav marked this pull request as draft December 13, 2024 15:08
@dacav
Copy link
Contributor Author

dacav commented Dec 13, 2024
edited
Loading

  • Manpages update

@dacav dacav force-pushed the dacav/config_file branch 2 times, most recently from 611e678 to 257c433 Compare December 16, 2024 23:23
dacav
dacav commented Dec 16, 2024
View reviewed changes
cfg.c Outdated Show resolved Hide resolved
dacav
dacav commented Dec 16, 2024
View reviewed changes
cfg.c Outdated Show resolved Hide resolved
dacav
dacav commented Dec 16, 2024
View reviewed changes
README Outdated Show resolved Hide resolved
dacav
dacav commented Dec 16, 2024
View reviewed changes
man/pam_u2f.8.txt Outdated Show resolved Hide resolved
@dacav dacav force-pushed the dacav/config_file branch 2 times, most recently from 81fb36f to e9d2621 Compare December 17, 2024 08:24
@dacav dacav marked this pull request as ready for review December 17, 2024 08:36
@dacav dacav force-pushed the dacav/config_file branch 2 times, most recently from 3b245e0 to 5365c0d Compare December 17, 2024 08:50
LDVG
LDVG reviewed Dec 17, 2024
View reviewed changes
Copy link
Contributor

@LDVG LDVG left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a pretty good start to me. I've left mostly nitpicking comments in-line. 🙂

Makefile.am Outdated
@@ -17,6 +17,7 @@ AM_CPPFLAGS = $(LIBFIDO2_CFLAGS) $(LIBCRYPTO_CFLAGS)
if ENABLE_FUZZING
AM_CPPFLAGS += -fsanitize=fuzzer-no-link
endif
AM_CPPFLAGS += -D SYSCONFDIR='"$(sysconfdir)"'
Copy link
Contributor

@LDVG LDVG Dec 17, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to make it possible to choose the entire path to a directory rather than just a prefix (see CFG_DEFAULT_PATH) ? E.g.

--with-security-config-dir=path

where path defaults to $sysconfdir/security at configure-time.

README Outdated Show resolved Hide resolved
README Outdated Show resolved Hide resolved
README Outdated Show resolved Hide resolved
README Outdated Show resolved Hide resolved
man/pam_u2f.8.txt Outdated Show resolved Hide resolved
man/pam_u2f.8.txt Outdated Show resolved Hide resolved
tests/cfg.c Outdated Show resolved Hide resolved
tests/cfg.c Outdated Show resolved Hide resolved
tests/cfg.c Show resolved Hide resolved
@dacav dacav marked this pull request as draft December 17, 2024 14:45
@dacav
pam: Introduce cfg module
45bff88 
Having it into another module will prevent the code from being messy
later.

The parsing procedure is taken verbatim: no semantic change, no
behavioural change.
@dacav dacav force-pushed the dacav/config_file branch from 5365c0d to 98fdb4d Compare December 18, 2024 20:57
@dacav
Copy link
Contributor Author

dacav commented Dec 18, 2024
edited
Loading

Current situation:

What is left to do for the current PR (soon follow-up):

  • A proper MAX_PATH (currently using hard-wired 4096 - Linux).
  • A temporary --with-security-confdir solution, mimicking --with-pam-dir (future refinement)
  • Trailing comments and spaces around '='
  • Only file owner can write (hopefully that's root)
  • Only root can own the file (requires fakeroot-ish behaviour)
  • Comprehensive config unit test
  • Inject the security-confdir into manpages (currently "/etc/security" is a fixed string

@dacav dacav force-pushed the dacav/config_file branch 6 times, most recently from 0adeda2 to a6e93f3 Compare December 23, 2024 22:50
@dacav dacav marked this pull request as ready for review January 2, 2025 08:51
@dacav
Copy link
Contributor Author

dacav commented Jan 2, 2025

Oh no. I figured out this even more work!

Autoconf BUG (?)

  1. ./configure --with-sconf-dir=/a
  2. make && sudo make install
  3. ./configure --with-sconf-dir=/b
  4. make # WILL NOT RECOMPILE (well, only manpage)
  5. sudo make install # not what expected: old binary is installed again

This is a little pathological (maybe low prio?) but actually a defect.

Vulnerable for untidy sysadmin:

Currently my code is checking that the configuration file (1) belongs to root, (2) can only be written by root, (3) is not a symlink. But I'm not checking the status of the above directories... Therefore, assuming that pam_u2f.so is configured to use /my/hopefully/notalink/pam_u2f.conf as a configuration file, in the (also pathological?) situation the unprivileged user might be able to hijack the configuration:

  user@localhost:/my$ ls -lR .
  .:
  total 4
  drwxrwxrwx 4 root root 4096 Jan  2 11:23 hopefully [1]

  ./hopefully:
  total 8
  drwxr-xr-x 2 root root 4096 Jan  2 11:15 notalink
  drwxr-xr-x 2 root root 4096 Jan  2 11:23 oops

  ./hopefully/notalink:
  total 4
  -rw-r--r-- 1 root root 13 Jan  2 11:05 pam_u2f.conf [2]

  ./hopefully/oops:
  total 4
  -rw-r--r-- 1 root root 13 Jan  2 11:23 pam_u2f.conf [2]

[1] world-writable directory
[2] a root-owned-not-writable copy exists

Attack:

  user@localhost:/my$ cd hopefully
  user@localhost:/my/hopefully$ mv notalink/ goodbye
  user@localhost:/my/hopefully$ ln -s oops notalink
  user@localhost:/my/hopefully$ cd ..
  user@localhost:/my$ ls -lR
  .:
  total 4
  drwxrwxrwx 4 root root 4096 Jan  2 11:25 hopefully

  ./hopefully:
  total 8
  drwxr-xr-x 2 root root 4096 Jan  2 11:15 goodbye
  lrwxrwxrwx 1 user user    4 Jan  2 11:25 notalink -> oops
  drwxr-xr-x 2 root root 4096 Jan  2 11:23 oops

  ./hopefully/goodbye:
  total 4
  -rw-r--r-- 1 root root 13 Jan  2 11:05 pam_u2f.conf

  ./hopefully/oops:
  total 4
  -rw-r--r-- 1 root root 15 Jan  2 11:23 pam_u2f.conf

dacav added 2 commits January 5, 2025 13:59
@dacav
pam: Config file support
7bf3f0b 
The configuration file defines the default behaviour of pam_u2f.
Individual module invocations under /etc/pam.d can override
settings.

The file-system location of the config file is by default
$sysconfdir/security/pam_u2f.conf, where $sysconfdir is supplied at
build time.

A new module configuration, "conf=", allows to override it at
runtime. Only absolute paths are accepted.
@dacav
tests: Add unit tests for conf file
5041e54
dacav added 3 commits January 5, 2025 14:02
@dacav
fuzz: Integrate cfg with libfuzzer testing
4f98c7a 
- split-input format: add trailing blob for config file

  The corpus needs some update.

- wrappers (-Wl,--wrap) integrate fuzzing of the configuration file.

  The configuration file, mutated by the fuzzer, is made
  available to the cfg.c implementation.

  The mock-up works under the assumption that only the cfg.c
  module works by opening "/" with open(3), and follows up with an
  alternation of openat(3) and fstat(3) calls.
@dacav
README: update with info about conf file
1a5e088
@dacav
man: update with info about conf file
36e1255 
Generate pam_u2f.8.txt from pam_u2f.8.txt.in, replacing SCONFDIR
@dacav dacav force-pushed the dacav/config_file branch from a6e93f3 to 36e1255 Compare January 5, 2025 13:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@LDVG LDVG LDVG left review comments

Assignees

@dacav dacav

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[RFE] Allow to set pam_u2f arguments in configuration file
2 participants
@dacav @LDVG