From fe177a4cc394567465a75ed4899e0f67024a52fb Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Sat, 26 Jul 2008 19:56:10 -0700 Subject: New patch pam_unix_fix_sgid_shadow_auth.patch, fixing an upstream regression which prevents sgid shadow apps from being able to authenticate any more because the module forces use of the helper and the helper won't allow authentication of arbitrary users. This change does mean we're going to be noisier for the time being in an SELinux environment, which should be addressed but is not a regression on Debian. --- debian/changelog | 6 ++++++ .../pam_unix_fix_sgid_shadow_auth.patch | 25 ++++++++++++++++++++++ debian/patches-applied/series | 1 + 3 files changed, 32 insertions(+) create mode 100644 debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch diff --git a/debian/changelog b/debian/changelog index d41d33c5..b5d3ca5d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -31,6 +31,12 @@ pam (0.99.10.0-1) UNRELEASED; urgency=low * New patch no_helper_for_nis+.patch, which restores the behavior of doing in-process NIS+ account checking instead of unconditionally passing it off to the unix_chkpwd helper; if it wasn't broke, don't fix it. + * New patch pam_unix_fix_sgid_shadow_auth.patch, fixing an upstream + regression which prevents sgid shadow apps from being able to authenticate + any more because the module forces use of the helper and the helper won't + allow authentication of arbitrary users. This change does mean we're + going to be noisier for the time being in an SELinux environment, which + should be addressed but is not a regression on Debian. * The password-changing helper functionality for SELinux systems has been split out into a separate unix_update binary, so at long last we can change unix_chkpwd to be sgid shadow instead of suid root. diff --git a/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch new file mode 100644 index 00000000..df5ffcf7 --- /dev/null +++ b/debian/patches-applied/pam_unix_fix_sgid_shadow_auth.patch @@ -0,0 +1,25 @@ +Revert upstream change that prevents pam_unix from working with sgid +shadow applications. + +Authors: Steve Langasek + +Upstream status: to be submitted (and debated...) + +Index: pam.deb/modules/pam_unix/passverify.c +=================================================================== +--- pam.deb.orig/modules/pam_unix/passverify.c ++++ pam.deb/modules/pam_unix/passverify.c +@@ -198,11 +198,11 @@ + * ...and shadow password file entry for this user, + * if shadowing is enabled + */ ++ *spwdent = pam_modutil_getspnam(pamh, name); + #ifndef HELPER_COMPILE +- if (geteuid() || SELINUX_ENABLED) ++ if (*spwdent == NULL && (geteuid() || SELINUX_ENABLED)) + return PAM_UNIX_RUN_HELPER; + #endif +- *spwdent = pam_modutil_getspnam(pamh, name); + if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) + return PAM_AUTHINFO_UNAVAIL; + } diff --git a/debian/patches-applied/series b/debian/patches-applied/series index c67db0e0..168065ab 100644 --- a/debian/patches-applied/series +++ b/debian/patches-applied/series @@ -1,6 +1,7 @@ thread-safe_save_old_password.patch setreuid_juggling.patch no_helper_for_nis+.patch +pam_unix_fix_sgid_shadow_auth.patch 007_modules_pam_unix 008_modules_pam_limits_chroot 021_nis_cleanup -- cgit v1.2.3