From aeb10a6d169da55bab0a5000dce5913e467c9344 Mon Sep 17 00:00:00 2001
From: Enno Gotthold <egotthold@suse.de>
Date: Thu, 10 Mar 2022 16:16:29 +0100
Subject: [PATCH] Security: Fix CVE-2022-0860
If PAM is correctly configured and a user account is set to expired,
the expired user-account is still able to successfully log into
Cobbler in all places (Web UI, CLI & XMLRPC-API).
The same applies to user accounts with passwords set to be expired.
This patch is fixing this and checking that this behavior is now
correct via a reproducible test.
---
cobbler/modules/authentication/pam.py | 8 ++++++++
tests/special_cases/security_test.py | 28 +++++++++++++++++++++++++++
2 files changed, 36 insertions(+)
diff --git a/cobbler/modules/authentication/pam.py b/cobbler/modules/authentication/pam.py
index 97ecc02ab..893422c5b 100644
--- a/cobbler/modules/authentication/pam.py
+++ b/cobbler/modules/authentication/pam.py
@@ -114,6 +114,10 @@ class PamConv(Structure):
PAM_AUTHENTICATE.restype = c_int
PAM_AUTHENTICATE.argtypes = [PamHandle, c_int]
+PAM_ACCT_MGMT = LIBPAM.pam_acct_mgmt
+PAM_ACCT_MGMT.restype = c_int
+PAM_ACCT_MGMT.argtypes = [PamHandle, c_int]
+
def authenticate(api_handle, username: str, password: str) -> bool:
"""
@@ -157,4 +161,8 @@ def my_conv(n_messages, messages, p_response, app_data):
return False
retval = PAM_AUTHENTICATE(handle, 0)
+
+ if retval == 0:
+ retval = PAM_ACCT_MGMT(handle, 0)
+
return retval == 0