debian/patches/036_pam_wheel_getlogin_considered_harmful


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148

From: Sam Hartman <hartmans@debian.org>
Date: Mon, 11 Sep 2023 14:00:42 -0600
Subject: _pam_wheel_getlogin_considered_harmful

Patch for Debian bug #163787 et al

Always use the process uid, not getlogin(), to identify an applicant in
pam_wheel; utmp may be wrong or may have no entry at all in the case of
an xterm

Authors: Ben Collins <bcollins@debian.org>

Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net>
---
 modules/pam_wheel/README          |  6 ------
 modules/pam_wheel/pam_wheel.8.xml | 17 +--------------
 modules/pam_wheel/pam_wheel.c     | 45 ++++++++-------------------------------
 3 files changed, 10 insertions(+), 58 deletions(-)

diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README
index 5dae4b6..ec9e7d7 100644
--- a/modules/pam_wheel/README
+++ b/modules/pam_wheel/README
@@ -39,12 +39,6 @@ trust
     modules the wheel members may be able to su to root without being prompted
     for a passwd).
 
-use_uid
-
-    The check will be done against the real uid of the calling process, instead
-    of trying to obtain the user from the login session associated with the
-    terminal in use.
-
 EXAMPLES
 
 The root account gains access by default (rootok), only wheel members can
diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml
index af0fd61..b42e27d 100644
--- a/modules/pam_wheel/pam_wheel.8.xml
+++ b/modules/pam_wheel/pam_wheel.8.xml
@@ -30,9 +30,6 @@
       <arg choice="opt" rep="norepeat">
 	trust
       </arg>
-      <arg choice="opt" rep="norepeat">
-	use_uid
-      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -113,18 +110,6 @@
           </para>
         </listitem>
       </varlistentry>
-      <varlistentry>
-        <term>
-          use_uid
-        </term>
-        <listitem>
-          <para>
-            The check will be done against the real uid of the calling process,
-            instead of trying to obtain the user from the login session
-            associated with the terminal in use.
-          </para>
-        </listitem>
-      </varlistentry>
     </variablelist>
   </refsect1>
 
@@ -237,4 +222,4 @@ su      auth     required       pam_unix.so
       </para>
   </refsect1>
 
-</refentry>
\ No newline at end of file
+</refentry>
diff --git a/modules/pam_wheel/pam_wheel.c b/modules/pam_wheel/pam_wheel.c
index 179f56b..5eb7b82 100644
--- a/modules/pam_wheel/pam_wheel.c
+++ b/modules/pam_wheel/pam_wheel.c
@@ -47,9 +47,8 @@
 /* argument parsing */
 
 #define PAM_DEBUG_ARG       0x0001
-#define PAM_USE_UID_ARG     0x0002
-#define PAM_TRUST_ARG       0x0004
-#define PAM_DENY_ARG        0x0010
+#define PAM_TRUST_ARG       0x0002
+#define PAM_DENY_ARG        0x0004
 #define PAM_ROOT_ONLY_ARG   0x0020
 
 static int
@@ -68,8 +67,7 @@ _pam_parse (const pam_handle_t *pamh, int argc, const char **argv,
 
           if (!strcmp(*argv,"debug"))
                ctrl |= PAM_DEBUG_ARG;
-          else if (!strcmp(*argv,"use_uid"))
-               ctrl |= PAM_USE_UID_ARG;
+          else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */
           else if (!strcmp(*argv,"trust"))
                ctrl |= PAM_TRUST_ARG;
           else if (!strcmp(*argv,"deny"))
@@ -118,39 +116,14 @@ perform_check (pam_handle_t *pamh, int ctrl, const char *use_group)
         }
     }
 
-    if (ctrl & PAM_USE_UID_ARG) {
-        tpwd = pam_modutil_getpwuid (pamh, getuid());
-        if (tpwd == NULL) {
-            if (ctrl & PAM_DEBUG_ARG) {
-                pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
-            }
-            return PAM_SERVICE_ERR;
-        }
-        fromsu = tpwd->pw_name;
-    } else {
-        fromsu = pam_modutil_getlogin(pamh);
-
-        /* if getlogin fails try a fallback to PAM_RUSER */
-        if (fromsu == NULL) {
-            const char *rhostname;
-
-            retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname);
-            if (retval != PAM_SUCCESS || rhostname == NULL) {
-                retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu);
-            }
-        }
-
-        if (fromsu != NULL) {
-            tpwd = pam_modutil_getpwnam (pamh, fromsu);
-        }
-
-        if (fromsu == NULL || tpwd == NULL) {
-            if (ctrl & PAM_DEBUG_ARG) {
-                pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
-            }
-            return PAM_SERVICE_ERR;
+    tpwd = pam_modutil_getpwuid (pamh, getuid());
+    if (tpwd == NULL) {
+        if (ctrl & PAM_DEBUG_ARG) {
+            pam_syslog(pamh, LOG_NOTICE, "who is running me ?!");
         }
+        return PAM_SERVICE_ERR;
     }
+    fromsu = tpwd->pw_name;
 
     /*
      * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu