From c16e3322975dd3ced7817602e88be8b4557e5c6e Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Wed, 26 Aug 2009 09:30:35 -0700 Subject: debian/patches/pam_unix_dont_trust_chkpwd_caller.patch: fix this patch to call setregid() instead of always returning an error on username mismatch in unix_chkpwd, needed in the SELinux case and in some corner cases with the broken_shadow option. Thanks to Michael Spang for the analysis. Closes: #543589. --- debian/changelog | 10 ++++++++ .../pam_unix_dont_trust_chkpwd_caller.patch | 27 ++++++++++------------ 2 files changed, 22 insertions(+), 15 deletions(-) diff --git a/debian/changelog b/debian/changelog index 60f3e5cb..a7aeffc5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +pam (1.1.0-2) UNRELEASED; urgency=low + + * debian/patches/pam_unix_dont_trust_chkpwd_caller.patch: fix this patch + to call setregid() instead of always returning an error on username + mismatch in unix_chkpwd, needed in the SELinux case and in some corner + cases with the broken_shadow option. Thanks to Michael Spang for the + analysis. Closes: #543589. + + -- Steve Langasek Wed, 26 Aug 2009 09:23:57 -0700 + pam (1.1.0-1) unstable; urgency=low * New upstream version. diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch index ba36e8c8..80334841 100644 --- a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch +++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch @@ -1,28 +1,25 @@ -Revert upstream change that causes unix_chkpwd to assume it's ok to -attempt authentication for any username as long as we call -setuid(getuid()) first. This is specifically *not* the case on Debian -and Ubuntu, where unix_chkpwd is setgid shadow instead of setuid root. +Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd +helper could be sgid shadow instead of suid root, as it is in Debian and +Ubuntu by default. Drop any sgid bits as well. -Adding an additional setgid(getgid()) call may be enough to fix this, -but this needs further examination before pushing out such a change. +Authors: Steve Langasek , + Michael Spang -Authors: Steve Langasek - -Upstream status: Debian-specific, pending the above analysis +Upstream status: to be submitted Index: pam.deb/modules/pam_unix/unix_chkpwd.c =================================================================== --- pam.deb.orig/modules/pam_unix/unix_chkpwd.c +++ pam.deb/modules/pam_unix/unix_chkpwd.c -@@ -101,10 +101,7 @@ +@@ -137,9 +137,10 @@ /* if the caller specifies the username, verify that user matches it */ if (strcmp(user, argv[1])) { -- user = argv[1]; -- /* no match -> permanently change to the real user and proceed */ ++ gid_t gid = getgid(); + user = argv[1]; + /* no match -> permanently change to the real user and proceed */ - if (setuid(getuid()) != 0) -- return PAM_AUTH_ERR; -+ return PAM_AUTH_ERR; ++ if (setregid(gid, gid) != 0 || setuid(getuid()) != 0) + return PAM_AUTH_ERR; } } - -- cgit v1.2.3