1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Date: Mon, 17 Feb 2025 10:31:55 +0800
Subject: pam_cap: Fix potential configuration parsing error
The current configuration parsing does not actually skip user names
that do not start with @, but instead treats the name as a group
name for further parsing, which can result in matching unexpected
capability sets and may trigger potential security issues. Only
names starting with @ should be parsed as group names.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
---
pam_cap/pam_cap.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/pam_cap/pam_cap.c b/pam_cap/pam_cap.c
index 24de329..3ec99bb 100644
--- a/pam_cap/pam_cap.c
+++ b/pam_cap/pam_cap.c
@@ -166,6 +166,7 @@ static char *read_capabilities_for_user(const char *user, const char *source)
if (line[0] != '@') {
D(("user [%s] is not [%s] - skipping", user, line));
+ continue;
}
int i;
|
