Page MenuHomeFreeBSD

pam_exec(8) expose_authtok should send a trailing NUL
ClosedPublic

Authored by munro_ip9.org on Aug 30 2018, 11:20 AM.

Details

Summary

On Linux PAM, pam_exec(8) expose_authtok sends the password followed by a NUL character. The FreeBSD version doesn't send the NUL. The invoked program may or may not notice, depending on the language, but since the point of expose_authtok is to be compatible with Linux PAM we should send that trailing NUL too.

Test Plan

Create an executable script /tmp/test.sh to dump the password into a file:

#!/bin/sh
cat > /tmp/captured

Create a service file /etc/pam.d/my-service containing:

auth required /path/to/pam_exec.so expose_authtok /tmp/test.sh
account required pam_permit.so

Install pamtester with pkg, and then test with:

pamtester my-service abc authenticate

Enter "hello" at the password prompt. Now od -c /tmp/captured should show:

0000000    h   e   l   l   o  \0
0000006

The same test run on a Linux system ("apt-get install pamtester" for Debian) shows the same output.

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

munro_ip9.org created this revision.Aug 30 2018, 11:20 AM
des accepted this revision.Sep 4 2018, 9:01 AM
This revision is now accepted and ready to land.Sep 4 2018, 9:01 AM
This revision was automatically updated to reflect the committed changes.