#487 Possible to add invalid attribute values to PAM PTA plugin configuration
Closed: wontfix None Opened 11 years ago by rmeggins.

https://bugzilla.redhat.com/show_bug.cgi?id=863415 (Red Hat Enterprise Linux 6)

Description of problem:

PAM passthrough plugin now accepts even incorrect values for soome attributes
in configuration entry, namely pamIDMapMethod, pamMissingSuffix and pamService.
Invalid values can be passed to pamIDMapMethod (should allow only RDN DN ENTRY)
and pamMissingSuffix (should allow only ALLOW IGNORE ERROR), while pamService
accepts empty value.

Version-Release number of selected component (if applicable):
389-ds-base-1.2.10.2-15.el6.x86_64

How reproducible:
always


Steps to Reproduce:
ldapmodify .. <<EOF
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: modify
replace: pamIDMapMethod
pamIDMapMethod: invalid
-
replace: pamMissingSuffix
pamMissingSuffix: invalid
-
replace: pamService
pamService:
EOF

Actual results:
ldapmodify succeeds

Expected results:
Should fail with ldap_modify: Invalid syntax  (return code 21)

Additional info:
other attributes do not permit incorrect values and fail with RC 21, e.g.
pamFallback or pamExcludeSuffix

It is looking like the bug is already fixed in 1.2.11.17-1.fc17
After creating a dedicated suffix and enabling the PAM plugin.

'''Test of pamMissingSuffix'''

ldapmodify -h localhost -p 9577 -D "cn=directory manager" -w secret12
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: modify
replace: pamMissingSuffix
pamMissingSuffix: invalid

modifying entry "cn=PAM Pass Through Auth,cn=plugins,cn=config"
ldap_modify: Server is unwilling to perform (53)
additional info: Error: valid values for pamMissingSuffix are PAMPT_MISSING_SUFFIX_ERROR, PAMPT_MISSING_SUFFIX_ALLOW, PAMPT_MISSING_SUFFIX_IGNORE

The Error returned seems good to me (unwilling to perform) rather than syntax error. The only issue is that it displays internal code macros rather than the user values ERROR, ALLOW or IGNORE

'''Test of pamIDMapMethod'''

ldapmodify -h localhost -p 9577 -D "cn=directory manager" -w secret12
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: modify
replace: pamIDMapMethod
pamIDMapMethod: invalid

modifying entry "cn=PAM Pass Through Auth,cn=plugins,cn=config"
ldap_modify: Server is unwilling to perform (53)
additional info: The map method in the string [invalid] is invalid: must be one of DN or RDN or ENTRY

The Error returned seems good to me (unwilling to perform) rather than syntax error. Displayed values are correct.

'''Test of pamService'''

ldapmodify -h localhost -p 9577 -D "cn=directory manager" -w secret12
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: modify
replace: pamService
pamService:

modifying entry "cn=PAM Pass Through Auth,cn=plugins,cn=config"

This change is applied and I think it is correct. In fact, pamService defines a file name under /etc/pam.d and if the file does not exist, the policy for the service will be taken from /etc/pam.conf. So if pamService is empty, DS will use /etc/pam.conf that is legal.

I need to confirm that most part of the bug is already fixed (unless display user value rather that internal macros), and when it occurred.

Yes, I believe err=53 is correct as noted by Thierry. Error 21 is for violations of LDAP syntaxes. The syntaxes used by these 3 attributes are as follows:

pamMissingSuffix - Directory String (1 or more UTF8 characters)
pamIDMapMethod - Directory String (1 or more UTF8 characters)
pamService - IA5 String (0 or more characters from the ASCII IA5 alphabet)

The tested values do not violate the LDAP syntaxes, so returning err=21 is not appropriate. The tested values for pamMissingSuffix and pamIDMapMethod are invalid from the viewpoint of the PAM passthrough plug-in though, which is why the plug-in does further validation and returns err=53 and a useful message as appropriate.

Replying to [comment:6 tbordaz]:

'''Test of pamMissingSuffix'''

ldapmodify -h localhost -p 9577 -D "cn=directory manager" -w secret12
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: modify
replace: pamMissingSuffix
pamMissingSuffix: invalid

modifying entry "cn=PAM Pass Through Auth,cn=plugins,cn=config"
ldap_modify: Server is unwilling to perform (53)
additional info: Error: valid values for pamMissingSuffix are PAMPT_MISSING_SUFFIX_ERROR, PAMPT_MISSING_SUFFIX_ALLOW, PAMPT_MISSING_SUFFIX_IGNORE

The Error returned seems good to me (unwilling to perform) rather than syntax error. The only issue is that it displays internal code macros rather than the user values ERROR, ALLOW or IGNORE

Yes, we should fix the error message to not display the macros. I think everything else is working as designed.

fix push to master

[tbordaz@pctbordaz ds]$ git merge ticket487
Updating 0219577..ca06547
Fast-forward
ldap/servers/plugins/pam_passthru/pam_ptconfig.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)

[tbordaz@pctbordaz ds]$ git push origin master
Enter passphrase for key '/home/tbordaz/.ssh/id_rsa_fedora':
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.18 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
0219577..ca06547 master -> master

commit ca06547
Author: Thierry bordaz (tbordaz) tbordaz@redhat.com
Date: Thu Jan 24 16:17:32 2013 +0100

Metadata Update from @tbordaz:
- Issue assigned to tbordaz
- Issue set to the milestone: 1.3.1

7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/487

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

3 years ago

Login to comment on this ticket.

Metadata