h0tw1r3 · h0tw1r3 · Apr 23, 2024 · Apr 23, 2024 · Apr 23, 2024 · Apr 23, 2024
diff --git a/.clang-tidy b/.clang-tidy
@@ -0,0 +1,46 @@
+---
+Checks: 'clang-diagnostic-*,clang-analyzer-*,-clang-analyzer-security.insecureAPI.Deprecated*'
+WarningsAsErrors: ''
+HeaderFilterRegex: ''
+AnalyzeTemporaryDtors: false
+FormatStyle: none
+User: h0tw1r3
+CheckOptions:
+ - key: llvm-else-after-return.WarnOnConditionVariables
+ value: 'false'
+ - key: modernize-loop-convert.MinConfidence
+ value: reasonable
+ - key: modernize-replace-auto-ptr.IncludeStyle
+ value: llvm
+ - key: cert-str34-c.DiagnoseSignedUnsignedCharComparisons
+ value: 'false'
+ - key: google-readability-namespace-comments.ShortNamespaceLines
+ value: '10'
+ - key: cert-err33-c.CheckedFunctions
+ value: '::aligned_alloc;::asctime_s;::at_quick_exit;::atexit;::bsearch;::bsearch_s;::btowc;::c16rtomb;::c32rtomb;::calloc;::clock;::cnd_broadcast;::cnd_init;::cnd_signal;::cnd_timedwait;::cnd_wait;::ctime_s;::fclose;::fflush;::fgetc;::fgetpos;::fgets;::fgetwc;::fopen;::fopen_s;::fprintf;::fprintf_s;::fputc;::fputs;::fputwc;::fputws;::fread;::freopen;::freopen_s;::fscanf;::fscanf_s;::fseek;::fsetpos;::ftell;::fwprintf;::fwprintf_s;::fwrite;::fwscanf;::fwscanf_s;::getc;::getchar;::getenv;::getenv_s;::gets_s;::getwc;::getwchar;::gmtime;::gmtime_s;::localtime;::localtime_s;::malloc;::mbrtoc16;::mbrtoc32;::mbsrtowcs;::mbsrtowcs_s;::mbstowcs;::mbstowcs_s;::memchr;::mktime;::mtx_init;::mtx_lock;::mtx_timedlock;::mtx_trylock;::mtx_unlock;::printf_s;::putc;::putwc;::raise;::realloc;::remove;::rename;::scanf;::scanf_s;::setlocale;::setvbuf;::signal;::snprintf;::snprintf_s;::sprintf;::sprintf_s;::sscanf;::sscanf_s;::strchr;::strerror_s;::strftime;::strpbrk;::strrchr;::strstr;::strtod;::strtof;::strtoimax;::strtok;::strtok_s;::strtol;::strtold;::strtoll;::strtoul;::strtoull;::strtoumax;::strxfrm;::swprintf;::swprintf_s;::swscanf;::swscanf_s;::thrd_create;::thrd_detach;::thrd_join;::thrd_sleep;::time;::timespec_get;::tmpfile;::tmpfile_s;::tmpnam;::tmpnam_s;::tss_create;::tss_get;::tss_set;::ungetc;::ungetwc;::vfprintf;::vfprintf_s;::vfscanf;::vfscanf_s;::vfwprintf;::vfwprintf_s;::vfwscanf;::vfwscanf_s;::vprintf_s;::vscanf;::vscanf_s;::vsnprintf;::vsnprintf_s;::vsprintf;::vsprintf_s;::vsscanf;::vsscanf_s;::vswprintf;::vswprintf_s;::vswscanf;::vswscanf_s;::vwprintf_s;::vwscanf;::vwscanf_s;::wcrtomb;::wcschr;::wcsftime;::wcspbrk;::wcsrchr;::wcsrtombs;::wcsrtombs_s;::wcsstr;::wcstod;::wcstof;::wcstoimax;::wcstok;::wcstok_s;::wcstol;::wcstold;::wcstoll;::wcstombs;::wcstombs_s;::wcstoul;::wcstoull;::wcstoumax;::wcsxfrm;::wctob;::wctrans;::wctype;::wmemchr;::wprintf_s;::wscanf;::wscanf_s;'
+ - key: cert-oop54-cpp.WarnOnlyIfThisHasSuspiciousField
+ value: 'false'
+ - key: cert-dcl16-c.NewSuffixes
+ value: 'L;LL;LU;LLU'
+ - key: google-readability-braces-around-statements.ShortStatementLines
+ value: '1'
+ - key: cppcoreguidelines-non-private-member-variables-in-classes.IgnoreClassesWithAllMemberVariablesBeingPublic
+ value: 'true'
+ - key: google-readability-namespace-comments.SpacesBeforeComments
+ value: '2'
+ - key: modernize-loop-convert.MaxCopySize
+ value: '16'
+ - key: modernize-pass-by-value.IncludeStyle
+ value: llvm
+ - key: modernize-use-nullptr.NullMacros
+ value: 'NULL'
+ - key: llvm-qualified-auto.AddConstToQualified
+ value: 'false'
+ - key: modernize-loop-convert.NamingStyle
+ value: CamelCase
+ - key: llvm-else-after-return.WarnOnUnfixable
+ value: 'false'
+ - key: google-readability-function-size.StatementThreshold
+ value: '800'
+...
+
diff --git a/pam_shield.c b/pam_shield.c
@@ -162,9 +162,13 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
  logmsg(LOG_DEBUG, "user %s", (user == NULL) ? "(unknown)" : user);
 
  /* if not blocking all and the user is known, let go */
- if (!(options & OPT_BLOCK_ALL) && user != NULL && (pwd = getpwnam(user)) != NULL) {
- logmsg(LOG_DEBUG, "ignoring known user %s", user);
- deinit_module();
+ if (!(options & OPT_BLOCK_ALL) && user != NULL) {
+ pwd = getpwnam(user);
+ if (pwd == NULL) {
+ logmsg(LOG_DEBUG, "ignoring known user %s", user);
+ deinit_module();
+ return PAM_IGNORE;
+ }
  return PAM_IGNORE;
  }
 
@@ -280,7 +284,6 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, cons
  }
  /* for every address that this host is known for, check the database */
  for (addr_p = addr_info; addr_p != NULL; addr_p = addr_p->ai_next) {
- whitelisted = 0;
  switch (addr_p->ai_family) {
  case PF_INET:
  addr_family = PAM_SHIELD_ADDR_IPV4;

diff --git a/pam_shield_lib.c b/pam_shield_lib.c
@@ -172,7 +172,7 @@ name_list *new_name_list(char *name) {
  return NULL;
 
  memset(n, 0, sizeof(name_list));
- strcpy(n->name, name);
+ snprintf(n->name, sizeof(n->name), "%s", name);
  return n;
 }
 
@@ -709,7 +709,7 @@ int run_trigger(char *cmd, _pam_shield_db_rec_t *record) {
  int status;
 
  while ((err = waitpid(pid, &status, 0)) > 0)
- ;
+ logmsg(LOG_DEBUG, "child %d exited with status %d", err, WEXITSTATUS(status));
 
  if (WEXITSTATUS(status) != 0)
  return -1;