pam_unix: workaround the problem caused by libnss_systemd

The getspnam(3) manual page says that errno shall be set to EACCES when the caller does not have permission to access the shadow password file. Unfortunately, this contract is broken when libnss_systemd is used in the nss stack. Workaround this problem by falling back to the helper invocation when pam_modutil_getspnam returns NULL regardless of errno. As pam_unix already behaves this way when selinux is enabled, it should be OK for the case when selinux is not enabled, too. * modules/pam_unix/passverify.c (get_account_info): When pam_modutil_getspnam returns NULL, unconditionally fall back to the helper invocation. Complements: f220cace2053 ("Permit unix_chkpwd & pam_unix.so to run without being setuid-root") Resolves: https://github.com/linux-pam/linux-pam/issues/379
author: Dmitry V. Levin <ldv@altlinux.org> 2021-08-19 08:00:00 +0000
committer: Dmitry V. Levin <ldv@altlinux.org> 2021-08-19 08:00:00 +0000
commit: 470823c4aacef5cb3b1180be6ed70846b61a3752 (patch)
tree: 6c07161caed93dad2bb3559c1c8d4bb8ff1433a6 /modules/pam_unix
parent: 9e788e4b84a7c57508db785a3e200b5d3e407c30 (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index 5460b057..fd81051d 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -245,8 +245,7 @@ PAMH_ARG_DECL(int get_account_info,
 			if (*spwdent == NULL) {
 #ifndef HELPER_COMPILE
 				/* still a chance the user can authenticate */
-				if (errno == EACCES || SELINUX_ENABLED)
-					return PAM_UNIX_RUN_HELPER;
+				return PAM_UNIX_RUN_HELPER;
 #endif
 				return PAM_AUTHINFO_UNAVAIL;
 			}
author	Dmitry V. Levin <ldv@altlinux.org>	2021-08-19 08:00:00 +0000
committer	Dmitry V. Levin <ldv@altlinux.org>	2021-08-19 08:00:00 +0000
commit	470823c4aacef5cb3b1180be6ed70846b61a3752 (patch)
tree	6c07161caed93dad2bb3559c1c8d4bb8ff1433a6 /modules/pam_unix
parent	9e788e4b84a7c57508db785a3e200b5d3e407c30 (diff)