diff options
-rw-r--r-- | debian/changelog | 6 | ||||
-rw-r--r-- | debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch | 25 | ||||
-rw-r--r-- | debian/patches-applied/series | 1 |
3 files changed, 32 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index d41d33c5..b5d3ca5d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -31,6 +31,12 @@ pam (0.99.10.0-1) UNRELEASED; urgency=low * New patch no_helper_for_nis+.patch, which restores the behavior of doing in-process NIS+ account checking instead of unconditionally passing it off to the unix_chkpwd helper; if it wasn't broke, don't fix it. + * New patch pam_unix_fix_sgid_shadow_auth.patch, fixing an upstream + regression which prevents sgid shadow apps from being able to authenticate + any more because the module forces use of the helper and the helper won't + allow authentication of arbitrary users. This change does mean we're + going to be noisier for the time being in an SELinux environment, which + should be addressed but is not a regression on Debian. * The password-changing helper functionality for SELinux systems has been split out into a separate unix_update binary, so at long last we can change unix_chkpwd to be sgid shadow instead of suid root. diff --git a/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch new file mode 100644 index 00000000..df5ffcf7 --- /dev/null +++ b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch @@ -0,0 +1,25 @@ +Revert upstream change that prevents pam_unix from working with sgid +shadow applications. + +Authors: Steve Langasek <vorlon@debian.org> + +Upstream status: to be submitted (and debated...) + +Index: pam.deb/modules/pam_unix/passverify.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/passverify.c ++++ pam.deb/modules/pam_unix/passverify.c +@@ -198,11 +198,11 @@ + * ...and shadow password file entry for this user, + * if shadowing is enabled + */ ++ *spwdent = pam_modutil_getspnam(pamh, name); + #ifndef HELPER_COMPILE +- if (geteuid() || SELINUX_ENABLED) ++ if (*spwdent == NULL && (geteuid() || SELINUX_ENABLED)) + return PAM_UNIX_RUN_HELPER; + #endif +- *spwdent = pam_modutil_getspnam(pamh, name); + if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) + return PAM_AUTHINFO_UNAVAIL; + } diff --git a/debian/patches-applied/series b/debian/patches-applied/series index c67db0e0..168065ab 100644 --- a/debian/patches-applied/series +++ b/debian/patches-applied/series @@ -1,6 +1,7 @@ thread-safe_save_old_password.patch setreuid_juggling.patch no_helper_for_nis+.patch +pam_unix_fix_sgid_shadow_auth.patch 007_modules_pam_unix 008_modules_pam_limits_chroot 021_nis_cleanup |