Contents of /trunk/pam/patches/pam-0.80-CAN-2005-2977.patch
Parent Directory | Revision Log
Revision 153 -
(show annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 5 months ago) by niro
File size: 3148 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 5 months ago) by niro
File size: 3148 byte(s)
-import
1 | When you set SELinux to permissive mode or the policy doesn't prevent |
2 | running unix_chkpwd as regular user it is possible to use unix_chkpwd |
3 | for checking any user's passwords from a regular user account. |
4 | |
5 | Because there is no delay and logging in unix_chkpwd it allows easy |
6 | brute-force attacks on passwords in /etc/shadow which probably |
7 | won't get noticed by administrator. |
8 | |
9 | This patch prevents this unwanted behaviour and also adds logging. |
10 | |
11 | --- Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c.only-root 2005-10-07 18:40:47.000000000 +0200 |
12 | +++ Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c 2005-10-17 00:23:50.000000000 +0200 |
13 | @@ -119,6 +119,13 @@ |
14 | } |
15 | } |
16 | } |
17 | + |
18 | + if (SELINUX_ENABLED && geteuid() == 0) { |
19 | + /* must set the real uid to 0 so the helper will not error |
20 | + out if pam is called from setuid binary (su, sudo...) */ |
21 | + setuid(0); |
22 | + } |
23 | + |
24 | /* exec binary helper */ |
25 | args[0] = x_strdup(CHKPWD_HELPER); |
26 | args[1] = x_strdup(user); |
27 | --- Linux-PAM-0.77/modules/pam_unix/support.c.only-root 2005-10-07 18:40:47.000000000 +0200 |
28 | +++ Linux-PAM-0.77/modules/pam_unix/support.c 2005-10-07 18:40:47.000000000 +0200 |
29 | @@ -620,6 +620,13 @@ |
30 | close(i); |
31 | } |
32 | } |
33 | + |
34 | + if (SELINUX_ENABLED && geteuid() == 0) { |
35 | + /* must set the real uid to 0 so the helper will not error |
36 | + out if pam is called from setuid binary (su, sudo...) */ |
37 | + setuid(0); |
38 | + } |
39 | + |
40 | /* exec binary helper */ |
41 | args[0] = x_strdup(CHKPWD_HELPER); |
42 | args[1] = x_strdup(user); |
43 | --- Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c.only-root 2005-10-07 18:40:47.000000000 +0200 |
44 | +++ Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c 2005-10-17 00:24:20.000000000 +0200 |
45 | @@ -268,6 +268,13 @@ |
46 | close(i); |
47 | } |
48 | } |
49 | + |
50 | + if (SELINUX_ENABLED && geteuid() == 0) { |
51 | + /* must set the real uid to 0 so the helper will not error |
52 | + out if pam is called from setuid binary (su, sudo...) */ |
53 | + setuid(0); |
54 | + } |
55 | + |
56 | /* exec binary helper */ |
57 | args[0] = x_strdup(CHKPWD_HELPER); |
58 | args[1] = x_strdup(user); |
59 | --- Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c.only-root 2005-10-07 18:40:47.000000000 +0200 |
60 | +++ Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c 2005-10-07 18:40:47.000000000 +0200 |
61 | @@ -466,13 +466,12 @@ |
62 | } |
63 | |
64 | /* |
65 | - * determine the current user's name is. |
66 | - * On a SELinux enabled system, policy will prevent third parties from using |
67 | - * unix_chkpwd as a password guesser. Leaving the existing check prevents |
68 | - * su from working, Since the current uid is the users and the password is |
69 | - * for root. |
70 | + * Determine what the current user's name is. |
71 | + * On a SELinux enabled system with a strict policy leaving the |
72 | + * existing check prevents shadow password authentication from working. |
73 | + * We must thus skip the check if the real uid is 0. |
74 | */ |
75 | - if (SELINUX_ENABLED) { |
76 | + if (SELINUX_ENABLED && getuid() == 0) { |
77 | user=argv[1]; |
78 | } |
79 | else { |
80 | @@ -534,6 +533,7 @@ |
81 | /* return pass or fail */ |
82 | |
83 | if ((retval != PAM_SUCCESS) || force_failure) { |
84 | + _log_err(LOG_NOTICE, "password check failed for user (%s)", user); |
85 | return PAM_AUTH_ERR; |
86 | } else { |
87 | return PAM_SUCCESS; |
88 | |
89 |