auth/pam: Check for account/password expiry

See GHSA-6cp7-g972-w9m9. Thanks Youssef Rebahi-Gilbert (ysf) for reporting the issue.
foxcpp · Mar 6, 2022 · 7ee6a39 · 7ee6a39
1 parent 3412e59
commit 7ee6a39
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 1 deletion.
diff --git a/cmd/maddy-pam-helper/pam.c b/cmd/maddy-pam-helper/pam.c
@@ -1,3 +1,23 @@
+//+build libpam
+
+/*
+Maddy Mail Server - Composable all-in-one email server.
+Copyright © 2019-2022 Max Mazurov <fox.cpp@disroot.org>, Maddy Mail Server contributors
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
 #define _POSIX_C_SOURCE 200809L
 #include <stdio.h>
 #include <stdlib.h>
@@ -46,6 +66,19 @@ struct error_obj run_pam_auth(const char *username, char *password) {
         return ret_val;
     }
 
+    status = pam_acct_mgmt(local_auth, PAM_SILENT|PAM_DISALLOW_NULL_AUTHTOK);
+    if (status != PAM_SUCCESS) {
+        struct error_obj ret_val;
+        if (status == PAM_AUTH_ERR || status == PAM_USER_UNKNOWN || status == PAM_NEW_AUTHTOK_REQD) {
+            ret_val.status = 1;
+        } else {
+            ret_val.status = 2;
+        }
+        ret_val.func_name = "pam_acct_mgmt";
+        ret_val.error_msg = pam_strerror(local_auth, status);
+        return ret_val;
+    }
+
     status = pam_end(local_auth, status);
     if (status != PAM_SUCCESS) {
         struct error_obj ret_val;

diff --git a/internal/auth/pam/pam.c b/internal/auth/pam/pam.c
@@ -2,7 +2,7 @@
 
 /*
 Maddy Mail Server - Composable all-in-one email server.
-Copyright © 2019-2020 Max Mazurov <fox.cpp@disroot.org>, Maddy Mail Server contributors
+Copyright © 2019-2022 Max Mazurov <fox.cpp@disroot.org>, Maddy Mail Server contributors
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -66,6 +66,19 @@ struct error_obj run_pam_auth(const char *username, char *password) {
         return ret_val;
     }
 
+    status = pam_acct_mgmt(local_auth, PAM_SILENT|PAM_DISALLOW_NULL_AUTHTOK);
+    if (status != PAM_SUCCESS) {
+        struct error_obj ret_val;
+        if (status == PAM_AUTH_ERR || status == PAM_USER_UNKNOWN || status == PAM_NEW_AUTHTOK_REQD) {
+            ret_val.status = 1;
+        } else {
+            ret_val.status = 2;
+        }
+        ret_val.func_name = "pam_acct_mgmt";
+        ret_val.error_msg = pam_strerror(local_auth, status);
+        return ret_val;
+    }
+
     status = pam_end(local_auth, status);
     if (status != PAM_SUCCESS) {
         struct error_obj ret_val;