74 lines
2.7 KiB
Diff
74 lines
2.7 KiB
Diff
|
From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001
|
||
|
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||
|
Date: Wed, 24 Jan 2024 18:57:42 +0100
|
||
|
Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd
|
||
|
|
||
|
The geteuid check does not cover all cases. If a program runs with
|
||
|
elevated capabilities like CAP_SETUID then we can still check
|
||
|
credentials of other users.
|
||
|
|
||
|
Keep logging for future analysis though.
|
||
|
|
||
|
Resolves: https://github.com/linux-pam/linux-pam/issues/747
|
||
|
Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
|
||
|
|
||
|
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||
|
---
|
||
|
modules/pam_unix/pam_unix_acct.c | 17 +++++++++--------
|
||
|
modules/pam_unix/support.c | 14 +++++++-------
|
||
|
2 files changed, 16 insertions(+), 15 deletions(-)
|
||
|
|
||
|
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
|
||
|
index 8f5ed3e0d..7ffcb9e3f 100644
|
||
|
--- a/modules/pam_unix/pam_unix_acct.c
|
||
|
+++ b/modules/pam_unix/pam_unix_acct.c
|
||
|
@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
|
||
|
_exit(PAM_AUTHINFO_UNAVAIL);
|
||
|
}
|
||
|
|
||
|
- if (geteuid() == 0) {
|
||
|
- /* must set the real uid to 0 so the helper will not error
|
||
|
- out if pam is called from setuid binary (su, sudo...) */
|
||
|
- if (setuid(0) == -1) {
|
||
|
- pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
|
||
|
- printf("-1\n");
|
||
|
- fflush(stdout);
|
||
|
- _exit(PAM_AUTHINFO_UNAVAIL);
|
||
|
+ /* must set the real uid to 0 so the helper will not error
|
||
|
+ out if pam is called from setuid binary (su, sudo...) */
|
||
|
+ if (setuid(0) == -1) {
|
||
|
+ uid_t euid = geteuid();
|
||
|
+ pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m");
|
||
|
+ if (euid == 0) {
|
||
|
+ printf("-1\n");
|
||
|
+ fflush(stdout);
|
||
|
+ _exit(PAM_AUTHINFO_UNAVAIL);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
|
||
|
index d391973f9..69811048e 100644
|
||
|
--- a/modules/pam_unix/support.c
|
||
|
+++ b/modules/pam_unix/support.c
|
||
|
@@ -562,13 +562,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
|
||
|
_exit(PAM_AUTHINFO_UNAVAIL);
|
||
|
}
|
||
|
|
||
|
- if (geteuid() == 0) {
|
||
|
- /* must set the real uid to 0 so the helper will not error
|
||
|
- out if pam is called from setuid binary (su, sudo...) */
|
||
|
- if (setuid(0) == -1) {
|
||
|
- D(("setuid failed"));
|
||
|
- _exit(PAM_AUTHINFO_UNAVAIL);
|
||
|
- }
|
||
|
+ /* must set the real uid to 0 so the helper will not error
|
||
|
+ out if pam is called from setuid binary (su, sudo...) */
|
||
|
+ if (setuid(0) == -1) {
|
||
|
+ D(("setuid failed"));
|
||
|
+ if (geteuid() == 0) {
|
||
|
+ _exit(PAM_AUTHINFO_UNAVAIL);
|
||
|
+ }
|
||
|
}
|
||
|
|
||
|
/* exec binary helper */
|