summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorTomas Mraz <tm@t8m.info>2005-10-26 19:05:32 +0000
committerTomas Mraz <tm@t8m.info>2005-10-26 19:05:32 +0000
commitdba185605b1f9ce2d8d7e90b956abe9fa0487f24 (patch)
treef77ad7cda420c90dab1f795b4f459e2fd6c699e4 /modules
parentd9b712775c5f1962d3490b43465537c3e28a8c49 (diff)
Relevant BUGIDs: Red Hat bz 168180
Purpose of commit: bugfix Commit summary: --------------- 2005-10-26 Tomas Mraz <t8m@centrum.cz> * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary), modules/pam_unix/pam_unix_passwd.c (_unix_run_shadow_binary), modules/pam_unix/support.c (_unix_run_shadow_binary_): Set real uid to 0 before executing the helper if SELinux is enabled. * modules/pam_unix/unix_chkpwd.c (main): Disable user check only if real uid is 0 (CVE-2005-2977). Log failed password check attempt.
Diffstat (limited to 'modules')
-rw-r--r--modules/pam_unix/pam_unix_acct.c7
-rw-r--r--modules/pam_unix/pam_unix_passwd.c7
-rw-r--r--modules/pam_unix/support.c7
-rw-r--r--modules/pam_unix/unix_chkpwd.c12
4 files changed, 27 insertions, 6 deletions
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 324ab5ed..ec47d4b6 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -116,6 +116,13 @@ struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, cons
}
}
}
+
+ if (SELINUX_ENABLED && geteuid() == 0) {
+ /* must set the real uid to 0 so the helper will not error
+ out if pam is called from setuid binary (su, sudo...) */
+ setuid(0);
+ }
+
/* exec binary helper */
args[0] = x_strdup(CHKPWD_HELPER);
args[1] = x_strdup(user);
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index 50a81e38..727f3b3b 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -263,6 +263,13 @@ static int _unix_run_shadow_binary(pam_handle_t *pamh, unsigned int ctrl, const
close(i);
}
}
+
+ if (SELINUX_ENABLED && geteuid() == 0) {
+ /* must set the real uid to 0 so the helper will not error
+ out if pam is called from setuid binary (su, sudo...) */
+ setuid(0);
+ }
+
/* exec binary helper */
args[0] = x_strdup(CHKPWD_HELPER);
args[1] = x_strdup(user);
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
index 3ed4b1f3..38a5d88b 100644
--- a/modules/pam_unix/support.c
+++ b/modules/pam_unix/support.c
@@ -521,6 +521,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
close(i);
}
}
+
+ if (SELINUX_ENABLED && geteuid() == 0) {
+ /* must set the real uid to 0 so the helper will not error
+ out if pam is called from setuid binary (su, sudo...) */
+ setuid(0);
+ }
+
/* exec binary helper */
args[0] = x_strdup(CHKPWD_HELPER);
args[1] = x_strdup(user);
diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c
index cc42c4df..b817f658 100644
--- a/modules/pam_unix/unix_chkpwd.c
+++ b/modules/pam_unix/unix_chkpwd.c
@@ -457,13 +457,12 @@ int main(int argc, char *argv[])
}
/*
- * determine the current user's name is.
- * On a SELinux enabled system, policy will prevent third parties from using
- * unix_chkpwd as a password guesser. Leaving the existing check prevents
- * su from working, Since the current uid is the users and the password is
- * for root.
+ * Determine what the current user's name is.
+ * On a SELinux enabled system with a strict policy leaving the
+ * existing check prevents shadow password authentication from working.
+ * We must thus skip the check if the real uid is 0.
*/
- if (SELINUX_ENABLED) {
+ if (SELINUX_ENABLED && getuid() == 0) {
user=argv[1];
}
else {
@@ -525,6 +524,7 @@ int main(int argc, char *argv[])
/* return pass or fail */
if ((retval != PAM_SUCCESS) || force_failure) {
+ _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
return PAM_AUTH_ERR;
} else {
return PAM_SUCCESS;