summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--debian/changelog6
-rw-r--r--debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch25
-rw-r--r--debian/patches-applied/series1
3 files changed, 32 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog
index d41d33c5..b5d3ca5d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -31,6 +31,12 @@ pam (0.99.10.0-1) UNRELEASED; urgency=low
* New patch no_helper_for_nis+.patch, which restores the behavior of doing
in-process NIS+ account checking instead of unconditionally passing it
off to the unix_chkpwd helper; if it wasn't broke, don't fix it.
+ * New patch pam_unix_fix_sgid_shadow_auth.patch, fixing an upstream
+ regression which prevents sgid shadow apps from being able to authenticate
+ any more because the module forces use of the helper and the helper won't
+ allow authentication of arbitrary users. This change does mean we're
+ going to be noisier for the time being in an SELinux environment, which
+ should be addressed but is not a regression on Debian.
* The password-changing helper functionality for SELinux systems has been
split out into a separate unix_update binary, so at long last we can
change unix_chkpwd to be sgid shadow instead of suid root.
diff --git a/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch
new file mode 100644
index 00000000..df5ffcf7
--- /dev/null
+++ b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch
@@ -0,0 +1,25 @@
+Revert upstream change that prevents pam_unix from working with sgid
+shadow applications.
+
+Authors: Steve Langasek <vorlon@debian.org>
+
+Upstream status: to be submitted (and debated...)
+
+Index: pam.deb/modules/pam_unix/passverify.c
+===================================================================
+--- pam.deb.orig/modules/pam_unix/passverify.c
++++ pam.deb/modules/pam_unix/passverify.c
+@@ -198,11 +198,11 @@
+ * ...and shadow password file entry for this user,
+ * if shadowing is enabled
+ */
++ *spwdent = pam_modutil_getspnam(pamh, name);
+ #ifndef HELPER_COMPILE
+- if (geteuid() || SELINUX_ENABLED)
++ if (*spwdent == NULL && (geteuid() || SELINUX_ENABLED))
+ return PAM_UNIX_RUN_HELPER;
+ #endif
+- *spwdent = pam_modutil_getspnam(pamh, name);
+ if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
+ return PAM_AUTHINFO_UNAVAIL;
+ }
diff --git a/debian/patches-applied/series b/debian/patches-applied/series
index c67db0e0..168065ab 100644
--- a/debian/patches-applied/series
+++ b/debian/patches-applied/series
@@ -1,6 +1,7 @@
thread-safe_save_old_password.patch
setreuid_juggling.patch
no_helper_for_nis+.patch
+pam_unix_fix_sgid_shadow_auth.patch
007_modules_pam_unix
008_modules_pam_limits_chroot
021_nis_cleanup