From dba185605b1f9ce2d8d7e90b956abe9fa0487f24 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 26 Oct 2005 19:05:32 +0000 Subject: Relevant BUGIDs: Red Hat bz 168180 Purpose of commit: bugfix Commit summary: --------------- 2005-10-26 Tomas Mraz * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary), modules/pam_unix/pam_unix_passwd.c (_unix_run_shadow_binary), modules/pam_unix/support.c (_unix_run_shadow_binary_): Set real uid to 0 before executing the helper if SELinux is enabled. * modules/pam_unix/unix_chkpwd.c (main): Disable user check only if real uid is 0 (CVE-2005-2977). Log failed password check attempt. --- modules/pam_unix/pam_unix_acct.c | 7 +++++++ modules/pam_unix/pam_unix_passwd.c | 7 +++++++ modules/pam_unix/support.c | 7 +++++++ modules/pam_unix/unix_chkpwd.c | 12 ++++++------ 4 files changed, 27 insertions(+), 6 deletions(-) (limited to 'modules') diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 324ab5ed..ec47d4b6 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -116,6 +116,13 @@ struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, cons } } } + + if (SELINUX_ENABLED && geteuid() == 0) { + /* must set the real uid to 0 so the helper will not error + out if pam is called from setuid binary (su, sudo...) */ + setuid(0); + } + /* exec binary helper */ args[0] = x_strdup(CHKPWD_HELPER); args[1] = x_strdup(user); diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 50a81e38..727f3b3b 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -263,6 +263,13 @@ static int _unix_run_shadow_binary(pam_handle_t *pamh, unsigned int ctrl, const close(i); } } + + if (SELINUX_ENABLED && geteuid() == 0) { + /* must set the real uid to 0 so the helper will not error + out if pam is called from setuid binary (su, sudo...) */ + setuid(0); + } + /* exec binary helper */ args[0] = x_strdup(CHKPWD_HELPER); args[1] = x_strdup(user); diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 3ed4b1f3..38a5d88b 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -521,6 +521,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, close(i); } } + + if (SELINUX_ENABLED && geteuid() == 0) { + /* must set the real uid to 0 so the helper will not error + out if pam is called from setuid binary (su, sudo...) */ + setuid(0); + } + /* exec binary helper */ args[0] = x_strdup(CHKPWD_HELPER); args[1] = x_strdup(user); diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index cc42c4df..b817f658 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -457,13 +457,12 @@ int main(int argc, char *argv[]) } /* - * determine the current user's name is. - * On a SELinux enabled system, policy will prevent third parties from using - * unix_chkpwd as a password guesser. Leaving the existing check prevents - * su from working, Since the current uid is the users and the password is - * for root. + * Determine what the current user's name is. + * On a SELinux enabled system with a strict policy leaving the + * existing check prevents shadow password authentication from working. + * We must thus skip the check if the real uid is 0. */ - if (SELINUX_ENABLED) { + if (SELINUX_ENABLED && getuid() == 0) { user=argv[1]; } else { @@ -525,6 +524,7 @@ int main(int argc, char *argv[]) /* return pass or fail */ if ((retval != PAM_SUCCESS) || force_failure) { + _log_err(LOG_NOTICE, "password check failed for user (%s)", user); return PAM_AUTH_ERR; } else { return PAM_SUCCESS; -- cgit v1.2.3