Magellan Linux

Contents of /trunk/pam/patches/pam-0.80-CAN-2005-2977.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 153 - (show annotations) (download)
Tue May 8 20:52:56 2007 UTC (17 years, 5 months ago) by niro
File size: 3148 byte(s)
-import

1 When you set SELinux to permissive mode or the policy doesn't prevent
2 running unix_chkpwd as regular user it is possible to use unix_chkpwd
3 for checking any user's passwords from a regular user account.
4
5 Because there is no delay and logging in unix_chkpwd it allows easy
6 brute-force attacks on passwords in /etc/shadow which probably
7 won't get noticed by administrator.
8
9 This patch prevents this unwanted behaviour and also adds logging.
10
11 --- Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c.only-root 2005-10-07 18:40:47.000000000 +0200
12 +++ Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c 2005-10-17 00:23:50.000000000 +0200
13 @@ -119,6 +119,13 @@
14 }
15 }
16 }
17 +
18 + if (SELINUX_ENABLED && geteuid() == 0) {
19 + /* must set the real uid to 0 so the helper will not error
20 + out if pam is called from setuid binary (su, sudo...) */
21 + setuid(0);
22 + }
23 +
24 /* exec binary helper */
25 args[0] = x_strdup(CHKPWD_HELPER);
26 args[1] = x_strdup(user);
27 --- Linux-PAM-0.77/modules/pam_unix/support.c.only-root 2005-10-07 18:40:47.000000000 +0200
28 +++ Linux-PAM-0.77/modules/pam_unix/support.c 2005-10-07 18:40:47.000000000 +0200
29 @@ -620,6 +620,13 @@
30 close(i);
31 }
32 }
33 +
34 + if (SELINUX_ENABLED && geteuid() == 0) {
35 + /* must set the real uid to 0 so the helper will not error
36 + out if pam is called from setuid binary (su, sudo...) */
37 + setuid(0);
38 + }
39 +
40 /* exec binary helper */
41 args[0] = x_strdup(CHKPWD_HELPER);
42 args[1] = x_strdup(user);
43 --- Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c.only-root 2005-10-07 18:40:47.000000000 +0200
44 +++ Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c 2005-10-17 00:24:20.000000000 +0200
45 @@ -268,6 +268,13 @@
46 close(i);
47 }
48 }
49 +
50 + if (SELINUX_ENABLED && geteuid() == 0) {
51 + /* must set the real uid to 0 so the helper will not error
52 + out if pam is called from setuid binary (su, sudo...) */
53 + setuid(0);
54 + }
55 +
56 /* exec binary helper */
57 args[0] = x_strdup(CHKPWD_HELPER);
58 args[1] = x_strdup(user);
59 --- Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c.only-root 2005-10-07 18:40:47.000000000 +0200
60 +++ Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c 2005-10-07 18:40:47.000000000 +0200
61 @@ -466,13 +466,12 @@
62 }
63
64 /*
65 - * determine the current user's name is.
66 - * On a SELinux enabled system, policy will prevent third parties from using
67 - * unix_chkpwd as a password guesser. Leaving the existing check prevents
68 - * su from working, Since the current uid is the users and the password is
69 - * for root.
70 + * Determine what the current user's name is.
71 + * On a SELinux enabled system with a strict policy leaving the
72 + * existing check prevents shadow password authentication from working.
73 + * We must thus skip the check if the real uid is 0.
74 */
75 - if (SELINUX_ENABLED) {
76 + if (SELINUX_ENABLED && getuid() == 0) {
77 user=argv[1];
78 }
79 else {
80 @@ -534,6 +533,7 @@
81 /* return pass or fail */
82
83 if ((retval != PAM_SUCCESS) || force_failure) {
84 + _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
85 return PAM_AUTH_ERR;
86 } else {
87 return PAM_SUCCESS;
88
89