summaryrefslogtreecommitdiff
path: root/debian
diff options
context:
space:
mode:
authorSteve Langasek <vorlon@debian.org>2008-07-27 01:26:23 -0700
committerSteve Langasek <steve.langasek@ubuntu.com>2019-01-03 17:28:18 -0800
commit9359f1c2804c265ace0b57ffef1761100a06c6cd (patch)
tree49c0c8b4640bb912fd9f4bf7bb7aa5e106b964c7 /debian
parent34f77a041c55ea3734a7b59a21ab5b7fb5d43e2a (diff)
New patch pam_unix_dont_trust_chkpwd_caller.patch, rolling back an
upstream change that causes unix_chkpwd to assume that setuid(getuid()) is sufficient to drop permissions and attempt any authentication on behalf of the user.
Diffstat (limited to 'debian')
-rw-r--r--debian/changelog4
-rw-r--r--debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch28
-rw-r--r--debian/patches-applied/series1
3 files changed, 33 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index 1d6b5534..2b851c0a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -43,6 +43,10 @@ pam (1.0.1-1) UNRELEASED; urgency=low
allow authentication of arbitrary users. This change does mean we're
going to be noisier for the time being in an SELinux environment, which
should be addressed but is not a regression on Debian.
+ * New patch pam_unix_dont_trust_chkpwd_caller.patch, rolling back an
+ upstream change that causes unix_chkpwd to assume that setuid(getuid())
+ is sufficient to drop permissions and attempt any authentication on
+ behalf of the user.
* The password-changing helper functionality for SELinux systems has been
split out into a separate unix_update binary, so at long last we can
change unix_chkpwd to be sgid shadow instead of suid root.
diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
new file mode 100644
index 00000000..ba36e8c8
--- /dev/null
+++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
@@ -0,0 +1,28 @@
+Revert upstream change that causes unix_chkpwd to assume it's ok to
+attempt authentication for any username as long as we call
+setuid(getuid()) first. This is specifically *not* the case on Debian
+and Ubuntu, where unix_chkpwd is setgid shadow instead of setuid root.
+
+Adding an additional setgid(getgid()) call may be enough to fix this,
+but this needs further examination before pushing out such a change.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: Debian-specific, pending the above analysis
+
+Index: pam.deb/modules/pam_unix/unix_chkpwd.c
+===================================================================
+--- pam.deb.orig/modules/pam_unix/unix_chkpwd.c
++++ pam.deb/modules/pam_unix/unix_chkpwd.c
+@@ -101,10 +101,7 @@
+ /* if the caller specifies the username, verify that user
+ matches it */
+ if (strcmp(user, argv[1])) {
+- user = argv[1];
+- /* no match -> permanently change to the real user and proceed */
+- if (setuid(getuid()) != 0)
+- return PAM_AUTH_ERR;
++ return PAM_AUTH_ERR;
+ }
+ }
+
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index 99e79ece..4fdb8089 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -2,6 +2,7 @@ pam_unix_thread-safe_save_old_password.patch
pam_unix_setreuid_juggling.patch
pam_unix_no_helper_for_nis+.patch
pam_unix_fix_sgid_shadow_auth.patch
+pam_unix_dont_trust_chkpwd_caller.patch
007_modules_pam_unix
008_modules_pam_limits_chroot
021_nis_cleanup