blob: ba36e8c8a83fb2dbd2c7ae6578c92e19e05a84f3 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
Revert upstream change that causes unix_chkpwd to assume it's ok to
attempt authentication for any username as long as we call
setuid(getuid()) first. This is specifically *not* the case on Debian
and Ubuntu, where unix_chkpwd is setgid shadow instead of setuid root.
Adding an additional setgid(getgid()) call may be enough to fix this,
but this needs further examination before pushing out such a change.
Authors: Steve Langasek <vorlon@debian.org>
Upstream status: Debian-specific, pending the above analysis
Index: pam.deb/modules/pam_unix/unix_chkpwd.c
===================================================================
--- pam.deb.orig/modules/pam_unix/unix_chkpwd.c
+++ pam.deb/modules/pam_unix/unix_chkpwd.c
@@ -101,10 +101,7 @@
/* if the caller specifies the username, verify that user
matches it */
if (strcmp(user, argv[1])) {
- user = argv[1];
- /* no match -> permanently change to the real user and proceed */
- if (setuid(getuid()) != 0)
- return PAM_AUTH_ERR;
+ return PAM_AUTH_ERR;
}
}
|