From 0b1055f64657dc0bf175f75c23470b2be7630451 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@altlinux.org>
Date: Sun, 3 Oct 2010 21:00:53 +0000
Subject: Relevant BUGIDs:

Purpose of commit: bugfix

Commit summary:
---------------
2010-10-04  Dmitry V. Levin  <ldv@altlinux.org>

	* libpam/pam_modutil_priv.c: New file.
	* libpam/Makefile.am (libpam_la_SOURCES): Add it.
	* libpam/include/security/pam_modutil.h (struct pam_modutil_privs,
	PAM_MODUTIL_DEF_PRIVS, pam_modutil_drop_priv,
	pam_modutil_regain_priv): New declarations.
	* libpam/libpam.map (LIBPAM_MODUTIL_1.1.3): New interface.
	* modules/pam_env/pam_env.c (handle_env): Use new pam_modutil interface.
	* modules/pam_mail/pam_mail.c (_do_mail): Likewise.
	* modules/pam_xauth/pam_xauth.c (check_acl, pam_sm_open_session,
	pam_sm_close_session): Likewise.
	(pam_sm_open_session): Remove redundant fchown call.
	Fixes CVE-2010-3430, CVE-2010-3431.
---
 modules/pam_mail/pam_mail.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

(limited to 'modules/pam_mail/pam_mail.c')

diff --git a/modules/pam_mail/pam_mail.c b/modules/pam_mail/pam_mail.c
index c19cbbe3..f5ba1733 100644
--- a/modules/pam_mail/pam_mail.c
+++ b/modules/pam_mail/pam_mail.c
@@ -17,7 +17,6 @@
 #include <syslog.h>
 #include <sys/stat.h>
 #include <sys/types.h>
-#include <sys/fsuid.h>
 #include <unistd.h>
 #include <dirent.h>
 #include <errno.h>
@@ -444,9 +443,18 @@ static int _do_mail(pam_handle_t *pamh, int flags, int argc,
 
     if ((est && !(ctrl & PAM_NO_LOGIN))
 	|| (!est && (ctrl & PAM_LOGOUT_TOO))) {
-	uid_t fsuid = setfsuid(pwd->pw_uid);
-	type = get_mail_status(pamh, ctrl, folder);
-	setfsuid(fsuid);
+	PAM_MODUTIL_DEF_PRIVS(privs);
+
+	if (pam_modutil_drop_priv(pamh, &privs, pwd)) {
+	  retval = PAM_SESSION_ERR;
+	  goto do_mail_cleanup;
+	} else {
+	  type = get_mail_status(pamh, ctrl, folder);
+	  if (pam_modutil_regain_priv(pamh, &privs)) {
+	    retval = PAM_SESSION_ERR;
+	    goto do_mail_cleanup;
+	  }
+	}
 
 	if (type != 0) {
 	    retval = report_mail(pamh, ctrl, type, folder);
-- 
cgit v1.2.3