diff options
| -rw-r--r-- | debian/changelog | 4 | ||||
| -rw-r--r-- | debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch | 28 | ||||
| -rw-r--r-- | debian/patches-applied/series | 1 |
3 files changed, 33 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 1d6b5534..2b851c0a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -43,6 +43,10 @@ pam (1.0.1-1) UNRELEASED; urgency=low allow authentication of arbitrary users. This change does mean we're going to be noisier for the time being in an SELinux environment, which should be addressed but is not a regression on Debian. + * New patch pam_unix_dont_trust_chkpwd_caller.patch, rolling back an + upstream change that causes unix_chkpwd to assume that setuid(getuid()) + is sufficient to drop permissions and attempt any authentication on + behalf of the user. * The password-changing helper functionality for SELinux systems has been split out into a separate unix_update binary, so at long last we can change unix_chkpwd to be sgid shadow instead of suid root. diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch new file mode 100644 index 00000000..ba36e8c8 --- /dev/null +++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch @@ -0,0 +1,28 @@ +Revert upstream change that causes unix_chkpwd to assume it's ok to +attempt authentication for any username as long as we call +setuid(getuid()) first. This is specifically *not* the case on Debian +and Ubuntu, where unix_chkpwd is setgid shadow instead of setuid root. + +Adding an additional setgid(getgid()) call may be enough to fix this, +but this needs further examination before pushing out such a change. + +Authors: Steve Langasek <vorlon@debian.org> + +Upstream status: Debian-specific, pending the above analysis + +Index: pam.deb/modules/pam_unix/unix_chkpwd.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/unix_chkpwd.c ++++ pam.deb/modules/pam_unix/unix_chkpwd.c +@@ -101,10 +101,7 @@ + /* if the caller specifies the username, verify that user + matches it */ + if (strcmp(user, argv[1])) { +- user = argv[1]; +- /* no match -> permanently change to the real user and proceed */ +- if (setuid(getuid()) != 0) +- return PAM_AUTH_ERR; ++ return PAM_AUTH_ERR; + } + } + diff --git a/debian/patches-applied/series b/debian/patches-applied/series index 99e79ece..4fdb8089 100644 --- a/debian/patches-applied/series +++ b/debian/patches-applied/series @@ -2,6 +2,7 @@ pam_unix_thread-safe_save_old_password.patch pam_unix_setreuid_juggling.patch pam_unix_no_helper_for_nis+.patch pam_unix_fix_sgid_shadow_auth.patch +pam_unix_dont_trust_chkpwd_caller.patch 007_modules_pam_unix 008_modules_pam_limits_chroot 021_nis_cleanup |