From: Sam Hartman Date: Mon, 11 Sep 2023 14:00:42 -0600 Subject: _pam_wheel_getlogin_considered_harmful Patch for Debian bug #163787 et al Always use the process uid, not getlogin(), to identify an applicant in pam_wheel; utmp may be wrong or may have no entry at all in the case of an xterm Authors: Ben Collins Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net> --- modules/pam_wheel/README | 6 ------ modules/pam_wheel/pam_wheel.8.xml | 17 +-------------- modules/pam_wheel/pam_wheel.c | 45 ++++++++------------------------------- 3 files changed, 10 insertions(+), 58 deletions(-) diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README index 5dae4b6..ec9e7d7 100644 --- a/modules/pam_wheel/README +++ b/modules/pam_wheel/README @@ -39,12 +39,6 @@ trust modules the wheel members may be able to su to root without being prompted for a passwd). -use_uid - - The check will be done against the real uid of the calling process, instead - of trying to obtain the user from the login session associated with the - terminal in use. - EXAMPLES The root account gains access by default (rootok), only wheel members can diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml index af0fd61..b42e27d 100644 --- a/modules/pam_wheel/pam_wheel.8.xml +++ b/modules/pam_wheel/pam_wheel.8.xml @@ -30,9 +30,6 @@ trust - - use_uid - @@ -113,18 +110,6 @@ - - - use_uid - - - - The check will be done against the real uid of the calling process, - instead of trying to obtain the user from the login session - associated with the terminal in use. - - - @@ -237,4 +222,4 @@ su auth required pam_unix.so - \ No newline at end of file + diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c index 179f56b..5eb7b82 100644 --- a/modules/pam_wheel/pam_wheel.c +++ b/modules/pam_wheel/pam_wheel.c @@ -47,9 +47,8 @@ /* argument parsing */ #define PAM_DEBUG_ARG 0x0001 -#define PAM_USE_UID_ARG 0x0002 -#define PAM_TRUST_ARG 0x0004 -#define PAM_DENY_ARG 0x0010 +#define PAM_TRUST_ARG 0x0002 +#define PAM_DENY_ARG 0x0004 #define PAM_ROOT_ONLY_ARG 0x0020 static int @@ -68,8 +67,7 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv, if (!strcmp(*argv,"debug")) ctrl |= PAM_DEBUG_ARG; - else if (!strcmp(*argv,"use_uid")) - ctrl |= PAM_USE_UID_ARG; + else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */ else if (!strcmp(*argv,"trust")) ctrl |= PAM_TRUST_ARG; else if (!strcmp(*argv,"deny")) @@ -118,39 +116,14 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group) } } - if (ctrl & PAM_USE_UID_ARG) { - tpwd = pam_modutil_getpwuid (pamh, getuid()); - if (tpwd == NULL) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); - } - return PAM_SERVICE_ERR; - } - fromsu = tpwd->pw_name; - } else { - fromsu = pam_modutil_getlogin(pamh); - - /* if getlogin fails try a fallback to PAM_RUSER */ - if (fromsu == NULL) { - const char *rhostname; - - retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname); - if (retval != PAM_SUCCESS || rhostname == NULL) { - retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu); - } - } - - if (fromsu != NULL) { - tpwd = pam_modutil_getpwnam (pamh, fromsu); - } - - if (fromsu == NULL || tpwd == NULL) { - if (ctrl & PAM_DEBUG_ARG) { - pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); - } - return PAM_SERVICE_ERR; + tpwd = pam_modutil_getpwuid (pamh, getuid()); + if (tpwd == NULL) { + if (ctrl & PAM_DEBUG_ARG) { + pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); } + return PAM_SERVICE_ERR; } + fromsu = tpwd->pw_name; /* * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu