pam_unix_dont_trust_chkpwd_caller

Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd helper could be sgid shadow instead of suid root, as it is in Debian and Ubuntu by default. Drop any sgid bits as well. Authors: Steve Langasek <vorlon@debian.org>, Michael Spang <mspang@csclub.uwaterloo.ca> Upstream status: to be submitted Gbp-Pq: Name pam_unix_dont_trust_chkpwd_caller.patch
author: Sam Hartman <hartmans@debian.org> 2023-09-11 14:00:42 -0600
committer: Sam Hartman <hartmans@debian.org> 2024-04-08 16:35:07 -0600
commit: b3cc48d4d1cd6a1cc3ba301539d5cdb4b638637f (patch)
tree: 998f06494bc391988059a517ff800e5d8e5af6b3
parent: 550f3099192778f64096d94f4a4fc24275cda1ee (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c
index 556a2e2c..5e7b571e 100644
--- a/modules/pam_unix/unix_chkpwd.c
+++ b/modules/pam_unix/unix_chkpwd.c
@@ -138,9 +138,10 @@ int main(int argc, char *argv[])
 	  /* if the caller specifies the username, verify that user
 	     matches it */
 	  if (user == NULL || strcmp(user, argv[1])) {
+	    gid_t gid = getgid();
 	    user = argv[1];
 	    /* no match -> permanently change to the real user and proceed */
-	    if (setuid(getuid()) != 0)
+	    if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0)
 		return PAM_AUTH_ERR;
 	  }
 	}
author	Sam Hartman <hartmans@debian.org>	2023-09-11 14:00:42 -0600
committer	Sam Hartman <hartmans@debian.org>	2024-04-08 16:35:07 -0600
commit	b3cc48d4d1cd6a1cc3ba301539d5cdb4b638637f (patch)
tree	998f06494bc391988059a517ff800e5d8e5af6b3
parent	550f3099192778f64096d94f4a4fc24275cda1ee (diff)