From c16e3322975dd3ced7817602e88be8b4557e5c6e Mon Sep 17 00:00:00 2001 From: Steve Langasek Date: Wed, 26 Aug 2009 09:30:35 -0700 Subject: debian/patches/pam_unix_dont_trust_chkpwd_caller.patch: fix this patch to call setregid() instead of always returning an error on username mismatch in unix_chkpwd, needed in the SELinux case and in some corner cases with the broken_shadow option. Thanks to Michael Spang for the analysis. Closes: #543589. --- .../pam_unix_dont_trust_chkpwd_caller.patch | 27 ++++++++++------------ 1 file changed, 12 insertions(+), 15 deletions(-) (limited to 'debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch') diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch index ba36e8c8..80334841 100644 --- a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch +++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch @@ -1,28 +1,25 @@ -Revert upstream change that causes unix_chkpwd to assume it's ok to -attempt authentication for any username as long as we call -setuid(getuid()) first. This is specifically *not* the case on Debian -and Ubuntu, where unix_chkpwd is setgid shadow instead of setuid root. +Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd +helper could be sgid shadow instead of suid root, as it is in Debian and +Ubuntu by default. Drop any sgid bits as well. -Adding an additional setgid(getgid()) call may be enough to fix this, -but this needs further examination before pushing out such a change. +Authors: Steve Langasek , + Michael Spang -Authors: Steve Langasek - -Upstream status: Debian-specific, pending the above analysis +Upstream status: to be submitted Index: pam.deb/modules/pam_unix/unix_chkpwd.c =================================================================== --- pam.deb.orig/modules/pam_unix/unix_chkpwd.c +++ pam.deb/modules/pam_unix/unix_chkpwd.c -@@ -101,10 +101,7 @@ +@@ -137,9 +137,10 @@ /* if the caller specifies the username, verify that user matches it */ if (strcmp(user, argv[1])) { -- user = argv[1]; -- /* no match -> permanently change to the real user and proceed */ ++ gid_t gid = getgid(); + user = argv[1]; + /* no match -> permanently change to the real user and proceed */ - if (setuid(getuid()) != 0) -- return PAM_AUTH_ERR; -+ return PAM_AUTH_ERR; ++ if (setregid(gid, gid) != 0 || setuid(getuid()) != 0) + return PAM_AUTH_ERR; } } - -- cgit v1.2.3