Skip to content

Commit

Permalink
dir: check account authorization during PAM login
Browse files Browse the repository at this point in the history 
Fixes CVE-2022-24755

Previously, when a user logged in via PAM, Bareos did only check for
authentication (i.e. the "auth" section in PAM). No authorization checks
were made (the "account" section in PAM). This patch now adds the proper
check.
This will break existing PAM configuration!

(cherry picked from commit abe4620)
  • Loading branch information
@arogge @pstorz
arogge authored and pstorz committed Mar 12, 2022
1 parent a25a1fc commit e3855b9
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions core/src/dird/auth_pam.cc
View file
Expand Up @@ -182,6 +182,13 @@ static int DoPamAuth(struct pam_handle* pamh,
return err;
}

err = pam_acct_mgmt(pamh, 0);
if (err != PAM_SUCCESS) {
Dmsg1(debuglevel, "PAM authorization failed: %s\n",
pam_strerror(pamh, err));
return err;
}

#if defined(__sun)
void* data;
#else
Expand Down

0 comments on commit e3855b9

Please sign in to comment.