Annotation of /trunk/pam/patches/pam-0.80-CAN-2005-2977.patch
Parent Directory | Revision Log
Revision 153 -
(hide annotations)
(download)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 3148 byte(s)
Tue May 8 20:52:56 2007 UTC (17 years, 4 months ago) by niro
File size: 3148 byte(s)
-import
1 | niro | 153 | When you set SELinux to permissive mode or the policy doesn't prevent |
2 | running unix_chkpwd as regular user it is possible to use unix_chkpwd | ||
3 | for checking any user's passwords from a regular user account. | ||
4 | |||
5 | Because there is no delay and logging in unix_chkpwd it allows easy | ||
6 | brute-force attacks on passwords in /etc/shadow which probably | ||
7 | won't get noticed by administrator. | ||
8 | |||
9 | This patch prevents this unwanted behaviour and also adds logging. | ||
10 | |||
11 | --- Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c.only-root 2005-10-07 18:40:47.000000000 +0200 | ||
12 | +++ Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c 2005-10-17 00:23:50.000000000 +0200 | ||
13 | @@ -119,6 +119,13 @@ | ||
14 | } | ||
15 | } | ||
16 | } | ||
17 | + | ||
18 | + if (SELINUX_ENABLED && geteuid() == 0) { | ||
19 | + /* must set the real uid to 0 so the helper will not error | ||
20 | + out if pam is called from setuid binary (su, sudo...) */ | ||
21 | + setuid(0); | ||
22 | + } | ||
23 | + | ||
24 | /* exec binary helper */ | ||
25 | args[0] = x_strdup(CHKPWD_HELPER); | ||
26 | args[1] = x_strdup(user); | ||
27 | --- Linux-PAM-0.77/modules/pam_unix/support.c.only-root 2005-10-07 18:40:47.000000000 +0200 | ||
28 | +++ Linux-PAM-0.77/modules/pam_unix/support.c 2005-10-07 18:40:47.000000000 +0200 | ||
29 | @@ -620,6 +620,13 @@ | ||
30 | close(i); | ||
31 | } | ||
32 | } | ||
33 | + | ||
34 | + if (SELINUX_ENABLED && geteuid() == 0) { | ||
35 | + /* must set the real uid to 0 so the helper will not error | ||
36 | + out if pam is called from setuid binary (su, sudo...) */ | ||
37 | + setuid(0); | ||
38 | + } | ||
39 | + | ||
40 | /* exec binary helper */ | ||
41 | args[0] = x_strdup(CHKPWD_HELPER); | ||
42 | args[1] = x_strdup(user); | ||
43 | --- Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c.only-root 2005-10-07 18:40:47.000000000 +0200 | ||
44 | +++ Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c 2005-10-17 00:24:20.000000000 +0200 | ||
45 | @@ -268,6 +268,13 @@ | ||
46 | close(i); | ||
47 | } | ||
48 | } | ||
49 | + | ||
50 | + if (SELINUX_ENABLED && geteuid() == 0) { | ||
51 | + /* must set the real uid to 0 so the helper will not error | ||
52 | + out if pam is called from setuid binary (su, sudo...) */ | ||
53 | + setuid(0); | ||
54 | + } | ||
55 | + | ||
56 | /* exec binary helper */ | ||
57 | args[0] = x_strdup(CHKPWD_HELPER); | ||
58 | args[1] = x_strdup(user); | ||
59 | --- Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c.only-root 2005-10-07 18:40:47.000000000 +0200 | ||
60 | +++ Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c 2005-10-07 18:40:47.000000000 +0200 | ||
61 | @@ -466,13 +466,12 @@ | ||
62 | } | ||
63 | |||
64 | /* | ||
65 | - * determine the current user's name is. | ||
66 | - * On a SELinux enabled system, policy will prevent third parties from using | ||
67 | - * unix_chkpwd as a password guesser. Leaving the existing check prevents | ||
68 | - * su from working, Since the current uid is the users and the password is | ||
69 | - * for root. | ||
70 | + * Determine what the current user's name is. | ||
71 | + * On a SELinux enabled system with a strict policy leaving the | ||
72 | + * existing check prevents shadow password authentication from working. | ||
73 | + * We must thus skip the check if the real uid is 0. | ||
74 | */ | ||
75 | - if (SELINUX_ENABLED) { | ||
76 | + if (SELINUX_ENABLED && getuid() == 0) { | ||
77 | user=argv[1]; | ||
78 | } | ||
79 | else { | ||
80 | @@ -534,6 +533,7 @@ | ||
81 | /* return pass or fail */ | ||
82 | |||
83 | if ((retval != PAM_SUCCESS) || force_failure) { | ||
84 | + _log_err(LOG_NOTICE, "password check failed for user (%s)", user); | ||
85 | return PAM_AUTH_ERR; | ||
86 | } else { | ||
87 | return PAM_SUCCESS; | ||
88 | |||
89 |