From: Tomas Mraz <tm@t8m.info>
Date: Fri, 11 Jul 2008 15:29:00 +0000 (+0000)
Subject: Relevant BUGIDs: #2009766
X-Git-Tag: Linux-PAM-1_0_90~69
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0323cbc3d94badc4d5e941a8fb679444dcb72bbb;p=linux-pam

Relevant BUGIDs: #2009766

Purpose of commit: bugfix

Commit summary:
---------------
2008-07-11  Tomas Mraz <t8m@centrum.cz>

        * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Do
        not close the pipe descriptor in borderline case (#2009766)
        * modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary):
        Likewise.
        * modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
        * modules/pam_unix/support.h: Define upper limit of fds we will
        attempt to close.
---

diff --git a/ChangeLog b/ChangeLog
index 52841d5b..0301b581 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2008-07-11  Tomas Mraz <t8m@centrum.cz>
+
+	* modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary): Do
+	not close the pipe descriptor in borderline case (#2009766)
+	* modules/pam_unix/pam_unix_passwd.c (_unix_run_update_binary):
+	Likewise.
+	* modules/pam_unix/support.c (_unix_run_helper_binary): Likewise.
+	* modules/pam_unix/support.h: Define upper limit of fds we will
+	attempt to close.
+
 2008-07-09  Thorsten Kukuk  <kukuk@thkukuk.de>
 
 	* modules/pam_exec/pam_exec.c (call_exec): Move all variable
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index c09bc175..3a40d8d3 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -91,21 +91,21 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
   /* fork */
   child = fork();
   if (child == 0) {
-    size_t i=0;
+    int i=0;
     struct rlimit rlim;
     static char *envp[] = { NULL };
     char *args[] = { NULL, NULL, NULL, NULL };
 
-    close(0); close(1);
-    /* reopen stdin as pipe */
-    close(fds[0]);
+    /* reopen stdout as pipe */
     dup2(fds[1], STDOUT_FILENO);
 
     /* XXX - should really tidy up PAM here too */
 
     if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
-      for (i=2; i < rlim.rlim_max; i++) {
-	if ((unsigned int)fds[1] != i) {
+      if (rlim.rlim_max >= MAX_FD_NO)
+        rlim.rlim_max = MAX_FD_NO;
+      for (i=0; i < (int)rlim.rlim_max; i++) {
+	if (i != STDOUT_FILENO) {
 	  close(i);
 	}
       }
@@ -126,7 +126,6 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl,
 
     pam_syslog(pamh, LOG_ERR, "helper binary execve failed: %m");
     /* should not get here: exit with error */
-    close (fds[1]);
     D(("helper binary is not available"));
     printf("-1\n");
     exit(PAM_AUTHINFO_UNAVAIL);
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 0a429756..abb04c53 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -163,7 +163,7 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const
     /* fork */
     child = fork();
     if (child == 0) {
-        size_t i=0;
+        int i=0;
         struct rlimit rlim;
 	static char *envp[] = { NULL };
 	char *args[] = { NULL, NULL, NULL, NULL, NULL, NULL };
@@ -171,14 +171,14 @@ static int _unix_run_update_binary(pam_handle_t *pamh, unsigned int ctrl, const
 
 	/* XXX - should really tidy up PAM here too */
 
-	close(0); close(1);
 	/* reopen stdin as pipe */
-	close(fds[1]);
 	dup2(fds[0], STDIN_FILENO);
 
 	if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
-	  for (i=2; i < rlim.rlim_max; i++) {
-	    if ((unsigned int)fds[0] != i)
+	  if (rlim.rlim_max >= MAX_FD_NO)
+	    rlim.rlim_max = MAX_FD_NO;
+	  for (i=0; i < (int)rlim.rlim_max; i++) {
+	    if (i != STDIN_FILENO)
 	  	   close(i);
 	  }
 	}
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 781d0006..db630f51 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -427,14 +427,14 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
 
 	/* XXX - should really tidy up PAM here too */
 
-	close(0); close(1);
 	/* reopen stdin as pipe */
-	close(fds[1]);
 	dup2(fds[0], STDIN_FILENO);
 
 	if (getrlimit(RLIMIT_NOFILE,&rlim)==0) {
-	  for (i=2; i < (int)rlim.rlim_max; i++) {
-		if (fds[0] != i)
+          if (rlim.rlim_max >= MAX_FD_NO)
+                rlim.rlim_max = MAX_FD_NO;
+	  for (i=0; i < (int)rlim.rlim_max; i++) {
+		if (i != STDIN_FILENO)
 	  	   close(i);
 	  }
 	}
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 9d4f8b85..a33dadaa 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -91,7 +91,6 @@ typedef struct {
 /* -------------- */
 #define UNIX_CTRLS_              26	/* number of ctrl arguments defined */
 
-
 static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
 {
 /* symbol                  token name          ctrl mask             ctrl     *
@@ -127,6 +126,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
 
 #define UNIX_DEFAULTS  (unix_args[UNIX__NONULL].flag)
 
+#define MAX_FD_NO 2000000
 
 /* use this to free strings. ESPECIALLY password strings */