New patch pam_unix_fix_sgid_shadow_auth.patch, fixing an upstream

regression which prevents sgid shadow apps from being able to authenticate
any more because the module forces use of the helper and the helper won't
allow authentication of arbitrary users.  This change does mean we're
going to be noisier for the time being in an SELinux environment, which
should be addressed but is not a regression on Debian.

1 files changed, 25 insertions, 0 deletions

diff --git a/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch
new file mode 100644
index 00000000..df5ffcf7
--- /dev/null
+++ b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch
@@ -0,0 +1,25 @@
+Revert upstream change that prevents pam_unix from working with sgid
+shadow applications.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: to be submitted (and debated...)
+
+Index: pam.deb/modules/pam_unix/passverify.c
+===================================================================
+--- pam.deb.orig/modules/pam_unix/passverify.c
++++ pam.deb/modules/pam_unix/passverify.c
+@@ -198,11 +198,11 @@
+ 			 * ...and shadow password file entry for this user,
+ 			 * if shadowing is enabled
+ 			 */
++			*spwdent = pam_modutil_getspnam(pamh, name);
+ #ifndef HELPER_COMPILE
+-			if (geteuid() || SELINUX_ENABLED)
++			if (*spwdent == NULL && (geteuid() || SELINUX_ENABLED))
+ 				return PAM_UNIX_RUN_HELPER;
+ #endif
+-			*spwdent = pam_modutil_getspnam(pamh, name);
+ 			if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
+ 				return PAM_AUTHINFO_UNAVAIL;
+ 		}