From a6f4ab0bebc76acf85cc0244bd21c1036009c28c Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Wed, 2 Jan 2019 12:24:44 -0800 Subject: fix-up commit for grafting svn history onto git history --- .../036_pam_wheel_getlogin_considered_harmful | 251 +++++++++++++++++++++ 1 file changed, 251 insertions(+) create mode 100644 debian/patches-applied/036_pam_wheel_getlogin_considered_harmful (limited to 'debian/patches-applied/036_pam_wheel_getlogin_considered_harmful') diff --git a/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful new file mode 100644 index 00000000..b95a677b --- /dev/null +++ b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful @@ -0,0 +1,251 @@ +Patch for Debian bug #163787 et al + +Always use the process uid, not getlogin(), to identify an applicant in +pam_wheel; utmp may be wrong or may have no entry at all in the case of +an xterm + +Authors: Ben Collins + +Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net> + +Index: Linux-PAM/modules/pam_wheel/pam_wheel.c +=================================================================== +--- Linux-PAM/modules/pam_wheel/pam_wheel.c.orig ++++ Linux-PAM/modules/pam_wheel/pam_wheel.c +@@ -60,9 +60,8 @@ + /* argument parsing */ + + #define PAM_DEBUG_ARG 0x0001 +-#define PAM_USE_UID_ARG 0x0002 +-#define PAM_TRUST_ARG 0x0004 +-#define PAM_DENY_ARG 0x0010 ++#define PAM_TRUST_ARG 0x0002 ++#define PAM_DENY_ARG 0x0004 + #define PAM_ROOT_ONLY_ARG 0x0020 + + static int +@@ -80,8 +79,7 @@ + + if (!strcmp(*argv,"debug")) + ctrl |= PAM_DEBUG_ARG; +- else if (!strcmp(*argv,"use_uid")) +- ctrl |= PAM_USE_UID_ARG; ++ else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */ + else if (!strcmp(*argv,"trust")) + ctrl |= PAM_TRUST_ARG; + else if (!strcmp(*argv,"deny")) +@@ -129,27 +127,14 @@ + } + } + +- if (ctrl & PAM_USE_UID_ARG) { +- tpwd = pam_modutil_getpwuid (pamh, getuid()); +- if (!tpwd) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; +- } +- fromsu = tpwd->pw_name; +- } else { +- fromsu = pam_modutil_getlogin(pamh); +- if (fromsu) { +- tpwd = pam_modutil_getpwnam (pamh, fromsu); +- } +- if (!fromsu || !tpwd) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; ++ tpwd = pam_modutil_getpwuid (pamh, getuid()); ++ if (!tpwd) { ++ if (ctrl & PAM_DEBUG_ARG) { ++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); + } ++ return PAM_SERVICE_ERR; + } ++ fromsu = tpwd->pw_name; + + /* + * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu +Index: Linux-PAM/modules/pam_wheel/pam_wheel.8.xml +=================================================================== +--- Linux-PAM/modules/pam_wheel/pam_wheel.8.xml.orig ++++ Linux-PAM/modules/pam_wheel/pam_wheel.8.xml +@@ -33,9 +33,6 @@ + + trust + +- +- use_uid +- + + + +@@ -115,18 +112,6 @@ + + + +- +- +- +- +- +- +- The check for wheel membership will be done against +- the current uid instead of the original one (useful when +- jumping with su from one account to another for example). +- +- +- + + + +Index: Linux-PAM/modules/pam_wheel/pam_wheel.8 +=================================================================== +--- Linux-PAM/modules/pam_wheel/pam_wheel.8.orig ++++ Linux-PAM/modules/pam_wheel/pam_wheel.8 +@@ -1,11 +1,11 @@ + .\" Title: pam_wheel + .\" Author: +-.\" Generator: DocBook XSL Stylesheets v1.70.1 +-.\" Date: 06/09/2006 +-.\" Manual: Linux\-PAM Manual +-.\" Source: Linux\-PAM Manual ++.\" Generator: DocBook XSL Stylesheets v1.72.0 ++.\" Date: 08/19/2007 ++.\" Manual: Linux-PAM Manual ++.\" Source: Linux-PAM Manual + .\" +-.TH "PAM_WHEEL" "8" "06/09/2006" "Linux\-PAM Manual" "Linux\-PAM Manual" ++.TH "PAM_WHEEL" "8" "08/19/2007" "Linux\-PAM Manual" "Linux\-PAM Manual" + .\" disable hyphenation + .nh + .\" disable justification (adjust text to left margin only) +@@ -14,7 +14,7 @@ + pam_wheel \- Only permit root access to members of group wheel + .SH "SYNOPSIS" + .HP 13 +-\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] ++\fBpam_wheel.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] + .SH "DESCRIPTION" + .PP + The pam_wheel PAM module is used to enforce the so\-called +@@ -24,30 +24,37 @@ + group. If no group with this name exist, the module is using the group with the group\-ID + \fB0\fR. + .SH "OPTIONS" +-.TP 3n ++.PP + \fBdebug\fR ++.RS 4 + Print debug information. +-.TP 3n ++.RE ++.PP + \fBdeny\fR ++.RS 4 + Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the + \fBgroup\fR + option), deny access. Conversely, if the user is not in the group, return PAM_IGNORE (unless + \fBtrust\fR + was also specified, in which case we return PAM_SUCCESS). +-.TP 3n ++.RE ++.PP + \fBgroup=\fR\fB\fIname\fR\fR ++.RS 4 + Instead of checking the wheel or GID 0 groups, use the + \fB\fIname\fR\fR + group to perform the authentication. +-.TP 3n ++.RE ++.PP + \fBroot_only\fR ++.RS 4 + The check for wheel membership is done only. +-.TP 3n ++.RE ++.PP + \fBtrust\fR ++.RS 4 + The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd). +-.TP 3n +-\fBuse_uid\fR +-The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example). ++.RE + .SH "MODULE SERVICES PROVIDED" + .PP + The +@@ -56,32 +63,46 @@ + \fBaccount\fR + services are supported. + .SH "RETURN VALUES" +-.TP 3n ++.PP + PAM_AUTH_ERR ++.RS 4 + Authentication failure. +-.TP 3n ++.RE ++.PP + PAM_BUF_ERR ++.RS 4 + Memory buffer error. +-.TP 3n ++.RE ++.PP + PAM_IGNORE ++.RS 4 + The return value should be ignored by PAM dispatch. +-.TP 3n ++.RE ++.PP + PAM_PERM_DENY ++.RS 4 + Permission denied. +-.TP 3n ++.RE ++.PP + PAM_SERVICE_ERR ++.RS 4 + Cannot determine the user name. +-.TP 3n ++.RE ++.PP + PAM_SUCCESS ++.RS 4 + Success. +-.TP 3n ++.RE ++.PP + PAM_USER_UNKNOWN ++.RS 4 + User not known. ++.RE + .SH "EXAMPLES" + .PP + The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants. + .sp +-.RS 3n ++.RS 4 + .nf + su auth sufficient pam_rootok.so + su auth required pam_wheel.so +Index: Linux-PAM/modules/pam_wheel/README +=================================================================== +--- Linux-PAM/modules/pam_wheel/README.orig ++++ Linux-PAM/modules/pam_wheel/README +@@ -39,12 +39,6 @@ + modules the wheel members may be able to su to root without being prompted + for a passwd). + +-use_uid +- +- The check for wheel membership will be done against the current uid instead +- of the original one (useful when jumping with su from one account to +- another for example). +- + EXAMPLES + + The root account gains access by default (rootok), only wheel members can -- cgit v1.2.3