From 155b485ba7d659b3c6992b9bdf8c067369990677 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Wed, 30 Mar 2016 08:59:06 +0200 Subject: [PATCH 1/3] copy ownership and modes of old challenge file when creating a new one fixes #92 --- pam_yubico.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pam_yubico.c b/pam_yubico.c index b193436..b49d5c2 100644 --- a/pam_yubico.c +++ b/pam_yubico.c @@ -616,10 +616,14 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) goto restpriv_out; } - if (fchmod (fd, S_IRUSR | S_IWUSR) != 0) { + if (fchmod (fd, st.st_mode) != 0) { DBG (("could not set correct file permissions")); goto restpriv_out; } + if (fchown (fd, st.st_uid, st.st_gid) != 0) { + DBG (("could not set correct file ownership")); + goto restpriv_out; + } f = fdopen(fd, "w"); if (! f) { From 7639f4684a7a9090e246915f71759f31b0e77ab4 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Thu, 31 Mar 2016 10:11:44 +0200 Subject: [PATCH 2/3] set file permissions when creating a new challenge file --- ykpamcfg.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ykpamcfg.c b/ykpamcfg.c index 29b75c8..8e9dc0c 100644 --- a/ykpamcfg.c +++ b/ykpamcfg.c @@ -240,6 +240,11 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u if (! write_chalresp_state (f, &state)) goto out; + if (! chmod (fn, S_IRUSR | S_IWUSR)) { + fprintf (stderr, "Failed setting permissions on new challenge file %s.\n", fn); + goto out; + } + printf ("Stored initial challenge and expected response in '%s'.\n", fn); *exit_code = 0; From 0a1051f6dfd8c13d47614eaf9f38f4ee70bb109a Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Thu, 31 Mar 2016 10:12:18 +0200 Subject: [PATCH 3/3] check that file doesn't exist before we try to write it --- ykpamcfg.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ykpamcfg.c b/ykpamcfg.c index 8e9dc0c..bc8be1e 100644 --- a/ykpamcfg.c +++ b/ykpamcfg.c @@ -145,6 +145,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u char *fn; struct passwd *p; FILE *f = NULL; + struct stat st; state.iterations = iterations; state.slot = slot; @@ -162,7 +163,6 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u */ if (!output_dir){ - struct stat st; char fullpath[256]; snprintf(fullpath, 256,"%s/.yubico",p->pw_dir); @@ -190,6 +190,11 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u goto out; } + if (stat(fn, &st) == 0) { + fprintf(stderr, "File %s already exists, refusing to overwrite.\n", fn); + goto out; + } + if (generate_random(state.challenge, CR_CHALLENGE_SIZE)) { fprintf (stderr, "FAILED getting %i bytes of random data\n", CR_CHALLENGE_SIZE); goto out;