summaryrefslogtreecommitdiff
path: root/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches-applied/036_pam_wheel_getlogin_considered_harmful')
-rw-r--r--debian/patches-applied/036_pam_wheel_getlogin_considered_harmful251
1 files changed, 251 insertions, 0 deletions
diff --git a/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful
new file mode 100644
index 00000000..b95a677b
--- /dev/null
+++ b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful
@@ -0,0 +1,251 @@
+Patch for Debian bug #163787 et al
+
+Always use the process uid, not getlogin(), to identify an applicant in
+pam_wheel; utmp may be wrong or may have no entry at all in the case of
+an xterm
+
+Authors: Ben Collins <bcollins@debian.org>
+
+Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net>
+
+Index: Linux-PAM/modules/pam_wheel/pam_wheel.c
+===================================================================
+--- Linux-PAM/modules/pam_wheel/pam_wheel.c.orig
++++ Linux-PAM/modules/pam_wheel/pam_wheel.c
+@@ -60,9 +60,8 @@
+ /* argument parsing */
+
+ #define PAM_DEBUG_ARG 0x0001
+-#define PAM_USE_UID_ARG 0x0002
+-#define PAM_TRUST_ARG 0x0004
+-#define PAM_DENY_ARG 0x0010
++#define PAM_TRUST_ARG 0x0002
++#define PAM_DENY_ARG 0x0004
+ #define PAM_ROOT_ONLY_ARG 0x0020
+
+ static int
+@@ -80,8 +79,7 @@
+
+ if (!strcmp(*argv,"debug"))
+ ctrl |= PAM_DEBUG_ARG;
+- else if (!strcmp(*argv,"use_uid"))
+- ctrl |= PAM_USE_UID_ARG;
++ else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */
+ else if (!strcmp(*argv,"trust"))
+ ctrl |= PAM_TRUST_ARG;
+ else if (!strcmp(*argv,"deny"))
+@@ -129,27 +127,14 @@
+ }
+ }
+
+- if (ctrl & PAM_USE_UID_ARG) {
+- tpwd = pam_modutil_getpwuid (pamh, getuid());
+- if (!tpwd) {
+- if (ctrl & PAM_DEBUG_ARG) {
+- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+- }
+- return PAM_SERVICE_ERR;
+- }
+- fromsu = tpwd->pw_name;
+- } else {
+- fromsu = pam_modutil_getlogin(pamh);
+- if (fromsu) {
+- tpwd = pam_modutil_getpwnam (pamh, fromsu);
+- }
+- if (!fromsu || !tpwd) {
+- if (ctrl & PAM_DEBUG_ARG) {
+- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+- }
+- return PAM_SERVICE_ERR;
++ tpwd = pam_modutil_getpwuid (pamh, getuid());
++ if (!tpwd) {
++ if (ctrl & PAM_DEBUG_ARG) {
++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
+ }
++ return PAM_SERVICE_ERR;
+ }
++ fromsu = tpwd->pw_name;
+
+ /*
+ * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu
+Index: Linux-PAM/modules/pam_wheel/pam_wheel.8.xml
+===================================================================
+--- Linux-PAM/modules/pam_wheel/pam_wheel.8.xml.orig
++++ Linux-PAM/modules/pam_wheel/pam_wheel.8.xml
+@@ -33,9 +33,6 @@
+ <arg choice="opt">
+ trust
+ </arg>
+- <arg choice="opt">
+- use_uid
+- </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+@@ -115,18 +112,6 @@
+ </para>
+ </listitem>
+ </varlistentry>
+- <varlistentry>
+- <term>
+- <option>use_uid</option>
+- </term>
+- <listitem>
+- <para>
+- The check for wheel membership will be done against
+- the current uid instead of the original one (useful when
+- jumping with su from one account to another for example).
+- </para>
+- </listitem>
+- </varlistentry>
+ </variablelist>
+ </refsect1>
+
+Index: Linux-PAM/modules/pam_wheel/pam_wheel.8
+===================================================================
+--- Linux-PAM/modules/pam_wheel/pam_wheel.8.orig
++++ Linux-PAM/modules/pam_wheel/pam_wheel.8
+@@ -1,11 +1,11 @@
+ .\" Title: pam_wheel
+ .\" Author:
+-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
+-.\" Date: 06/09/2006
+-.\" Manual: Linux\-PAM Manual
+-.\" Source: Linux\-PAM Manual
++.\" Generator: DocBook XSL Stylesheets v1.72.0 <http://docbook.sf.net/>
++.\" Date: 08/19/2007
++.\" Manual: Linux-PAM Manual
++.\" Source: Linux-PAM Manual
+ .\"
+-.TH "PAM_WHEEL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
++.TH "PAM_WHEEL" "8" "08/19/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+ .\" disable hyphenation
+ .nh
+ .\" disable justification (adjust text to left margin only)
+@@ -14,7 +14,7 @@
+ pam_wheel \- Only permit root access to members of group wheel
+ .SH "SYNOPSIS"
+ .HP 13
+-\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid]
++\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust]
+ .SH "DESCRIPTION"
+ .PP
+ The pam_wheel PAM module is used to enforce the so\-called
+@@ -24,30 +24,37 @@
+ group. If no group with this name exist, the module is using the group with the group\-ID
+ \fB0\fR.
+ .SH "OPTIONS"
+-.TP 3n
++.PP
+ \fBdebug\fR
++.RS 4
+ Print debug information.
+-.TP 3n
++.RE
++.PP
+ \fBdeny\fR
++.RS 4
+ Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the
+ \fBgroup\fR
+ option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless
+ \fBtrust\fR
+ was also specified, in which case we return PAM_SUCCESS).
+-.TP 3n
++.RE
++.PP
+ \fBgroup=\fR\fB\fIname\fR\fR
++.RS 4
+ Instead of checking the wheel or GID 0 groups, use the
+ \fB\fIname\fR\fR
+ group to perform the authentication.
+-.TP 3n
++.RE
++.PP
+ \fBroot_only\fR
++.RS 4
+ The check for wheel membership is done only.
+-.TP 3n
++.RE
++.PP
+ \fBtrust\fR
++.RS 4
+ The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd).
+-.TP 3n
+-\fBuse_uid\fR
+-The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example).
++.RE
+ .SH "MODULE SERVICES PROVIDED"
+ .PP
+ The
+@@ -56,32 +63,46 @@
+ \fBaccount\fR
+ services are supported.
+ .SH "RETURN VALUES"
+-.TP 3n
++.PP
+ PAM_AUTH_ERR
++.RS 4
+ Authentication failure.
+-.TP 3n
++.RE
++.PP
+ PAM_BUF_ERR
++.RS 4
+ Memory buffer error.
+-.TP 3n
++.RE
++.PP
+ PAM_IGNORE
++.RS 4
+ The return value should be ignored by PAM dispatch.
+-.TP 3n
++.RE
++.PP
+ PAM_PERM_DENY
++.RS 4
+ Permission denied.
+-.TP 3n
++.RE
++.PP
+ PAM_SERVICE_ERR
++.RS 4
+ Cannot determine the user name.
+-.TP 3n
++.RE
++.PP
+ PAM_SUCCESS
++.RS 4
+ Success.
+-.TP 3n
++.RE
++.PP
+ PAM_USER_UNKNOWN
++.RS 4
+ User not known.
++.RE
+ .SH "EXAMPLES"
+ .PP
+ The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants.
+ .sp
+-.RS 3n
++.RS 4
+ .nf
+ su auth sufficient pam_rootok.so
+ su auth required pam_wheel.so
+Index: Linux-PAM/modules/pam_wheel/README
+===================================================================
+--- Linux-PAM/modules/pam_wheel/README.orig
++++ Linux-PAM/modules/pam_wheel/README
+@@ -39,12 +39,6 @@
+ modules the wheel members may be able to su to root without being prompted
+ for a passwd).
+
+-use_uid
+-
+- The check for wheel membership will be done against the current uid instead
+- of the original one (useful when jumping with su from one account to
+- another for example).
+-
+ EXAMPLES
+
+ The root account gains access by default (rootok), only wheel members can