Re: [PAM] patch for pam_time "Or" logic flaw, debian bug #326407.
On Wed, Oct 29, Andreas Henriksson wrote:
> tags 326407 + patch
> stop
>
> With a /etc/security/time.conf spec like this and the pam_time module in use:
> *;*;x|y;!Al0000-2400
Your patch is wrong, because use "xy" would now match "x|y", too.
This patch should work:
--- modules/pam_time/pam_time.c 7 Dec 2007 15:40:02 -0000 1.16
+++ modules/pam_time/pam_time.c 24 Nov 2008 16:03:06 -0000
@@ -345,6 +345,7 @@
{
int i;
const char *a;
+ int length = len;
a = A;
for (i=0; len > 0; ++i, --len) {
@@ -359,7 +360,8 @@
/* Ok, we know that b is a substring from A and does not contain
wildcards, but now the length of both strings must be the same,
too. */
- if (strlen (a) != strlen(b))
+ /* b can contain "|", only use length until first "|" */
+ if (strlen (a) != (size_t)length)
return FALSE;
return ( !len );
--
Thorsten Kukuk, Project Manager/Release Manager SLES
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
GF: Markus Rex, HRB 16746 (AG Nuernberg)
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Fedora Users]
[Kernel]
[Red Hat Install]
[Linux for the blind]
[Gimp]
