File: pam_unix_dont_trust_chkpwd_caller.patch

package info (click to toggle)
pam 1.1.8-3.6
  • links: PTS, VCS
  • area: main
  • in suites: stretch
  • size: 11,800 kB
  • ctags: 2,930
  • sloc: ansic: 31,350; xml: 21,611; sh: 11,344; makefile: 1,563; perl: 893; yacc: 408; lex: 70; sed: 16
file content (25 lines) | stat: -rw-r--r-- 1,009 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd
helper could be sgid shadow instead of suid root, as it is in Debian and
Ubuntu by default.  Drop any sgid bits as well.

Authors: Steve Langasek <vorlon@debian.org>,
         Michael Spang <mspang@csclub.uwaterloo.ca>

Upstream status: to be submitted

Index: pam-debian/modules/pam_unix/unix_chkpwd.c
===================================================================
--- pam-debian.orig/modules/pam_unix/unix_chkpwd.c	2011-10-10 16:22:06.270705822 -0700
+++ pam-debian/modules/pam_unix/unix_chkpwd.c	2011-10-10 16:24:06.080224301 -0700
@@ -137,9 +137,10 @@
 	  /* if the caller specifies the username, verify that user
 	     matches it */
 	  if (strcmp(user, argv[1])) {
+	    gid_t gid = getgid();
 	    user = argv[1];
 	    /* no match -> permanently change to the real user and proceed */
-	    if (setuid(getuid()) != 0)
+	    if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0)
 		return PAM_AUTH_ERR;
 	  }
 	}