From e3855b9481f20760035134cd1e459185f05a0c35 Mon Sep 17 00:00:00 2001
From: Andreas Rogge <andreas.rogge@bareos.com>
Date: Thu, 10 Mar 2022 10:31:26 +0100
Subject: [PATCH] dir: check account authorization during PAM login

Fixes CVE-2022-24755

Previously, when a user logged in via PAM, Bareos did only check for
authentication (i.e. the "auth" section in PAM). No authorization checks
were made (the "account" section in PAM). This patch now adds the proper
check.
This will break existing PAM configuration!

(cherry picked from commit abe462037388635193f3b5b71575f32596c3b69d)
---
 core/src/dird/auth_pam.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/core/src/dird/auth_pam.cc b/core/src/dird/auth_pam.cc
index d1483925936..d7b6373c93a 100644
--- a/core/src/dird/auth_pam.cc
+++ b/core/src/dird/auth_pam.cc
@@ -182,6 +182,13 @@ static int DoPamAuth(struct pam_handle* pamh,
     return err;
   }
 
+  err = pam_acct_mgmt(pamh, 0);
+  if (err != PAM_SUCCESS) {
+    Dmsg1(debuglevel, "PAM authorization failed: %s\n",
+          pam_strerror(pamh, err));
+    return err;
+  }
+
 #if defined(__sun)
   void* data;
 #else