diff options
author | Sam Hartman <hartmans@debian.org> | 2023-09-11 14:00:42 -0600 |
---|---|---|
committer | Sam Hartman <hartmans@debian.org> | 2024-04-08 16:35:07 -0600 |
commit | b3cc48d4d1cd6a1cc3ba301539d5cdb4b638637f (patch) | |
tree | 998f06494bc391988059a517ff800e5d8e5af6b3 | |
parent | 550f3099192778f64096d94f4a4fc24275cda1ee (diff) |
pam_unix_dont_trust_chkpwd_caller
Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd
helper could be sgid shadow instead of suid root, as it is in Debian and
Ubuntu by default. Drop any sgid bits as well.
Authors: Steve Langasek <vorlon@debian.org>,
Michael Spang <mspang@csclub.uwaterloo.ca>
Upstream status: to be submitted
Gbp-Pq: Name pam_unix_dont_trust_chkpwd_caller.patch
-rw-r--r-- | modules/pam_unix/unix_chkpwd.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 556a2e2c..5e7b571e 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -138,9 +138,10 @@ int main(int argc, char *argv[]) /* if the caller specifies the username, verify that user matches it */ if (user == NULL || strcmp(user, argv[1])) { + gid_t gid = getgid(); user = argv[1]; /* no match -> permanently change to the real user and proceed */ - if (setuid(getuid()) != 0) + if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0) return PAM_AUTH_ERR; } } |