pam/patches/pam-0.80-CAN-2005-2977.patch

When you set SELinux to permissive mode or the policy doesn't prevent
running unix_chkpwd as regular user it is possible to use unix_chkpwd
for checking any user's passwords from a regular user account.

Because there is no delay and logging in unix_chkpwd it allows easy
brute-force attacks on passwords in /etc/shadow which probably
won't get noticed by administrator.

This patch prevents this unwanted behaviour and also adds logging.

--- Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c.only-root	2005-10-07 18:40:47.000000000 +0200
+++ Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c	2005-10-17 00:23:50.000000000 +0200
@@ -119,6 +119,13 @@
 	}
       }	
     }
+
+    if (SELINUX_ENABLED && geteuid() == 0) {
+      /* must set the real uid to 0 so the helper will not error
+         out if pam is called from setuid binary (su, sudo...) */
+      setuid(0);
+    }
+
     /* exec binary helper */
     args[0] = x_strdup(CHKPWD_HELPER);
     args[1] = x_strdup(user);
--- Linux-PAM-0.77/modules/pam_unix/support.c.only-root	2005-10-07 18:40:47.000000000 +0200
+++ Linux-PAM-0.77/modules/pam_unix/support.c	2005-10-07 18:40:47.000000000 +0200
@@ -620,6 +620,13 @@
 	  	   close(i);
 	  }	
 	}
+
+	if (SELINUX_ENABLED && geteuid() == 0) {
+          /* must set the real uid to 0 so the helper will not error
+	     out if pam is called from setuid binary (su, sudo...) */
+	  setuid(0);
+	}
+	
 	/* exec binary helper */
 	args[0] = x_strdup(CHKPWD_HELPER);
 	args[1] = x_strdup(user);
--- Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c.only-root	2005-10-07 18:40:47.000000000 +0200
+++ Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c	2005-10-17 00:24:20.000000000 +0200
@@ -268,6 +268,13 @@
 	  	   close(i);
 	  }	
 	}
+
+        if (SELINUX_ENABLED && geteuid() == 0) {
+          /* must set the real uid to 0 so the helper will not error
+             out if pam is called from setuid binary (su, sudo...) */
+          setuid(0);
+        }
+
 	/* exec binary helper */
 	args[0] = x_strdup(CHKPWD_HELPER);
 	args[1] = x_strdup(user);
--- Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c.only-root	2005-10-07 18:40:47.000000000 +0200
+++ Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c	2005-10-07 18:40:47.000000000 +0200
@@ -466,13 +466,12 @@
 	}
 
 	/*
-	 * determine the current user's name is.
-	 * On a SELinux enabled system, policy will prevent third parties from using
-	 * unix_chkpwd as a password guesser.  Leaving the existing check prevents
-	 * su from working,  Since the current uid is the users and the password is
-	 * for root.
+	 * Determine what the current user's name is.
+	 * On a SELinux enabled system with a strict policy leaving the
+	 * existing check prevents shadow password authentication from working.
+	 * We must thus skip the check if the real uid is 0.
 	 */
-	if (SELINUX_ENABLED) {
+	if (SELINUX_ENABLED && getuid() == 0) {
 	  user=argv[1];
 	} 
 	else {
@@ -534,6 +533,7 @@
 	/* return pass or fail */
 
 	if ((retval != PAM_SUCCESS) || force_failure) {
+	    _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
 	    return PAM_AUTH_ERR;
 	} else {
 	    return PAM_SUCCESS;


1	niro	153	When you set SELinux to permissive mode or the policy doesn't prevent
2			running unix_chkpwd as regular user it is possible to use unix_chkpwd
3			for checking any user's passwords from a regular user account.
4
5			Because there is no delay and logging in unix_chkpwd it allows easy
6			brute-force attacks on passwords in /etc/shadow which probably
7			won't get noticed by administrator.
8
9			This patch prevents this unwanted behaviour and also adds logging.
10
11			--- Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c.only-root 2005-10-07 18:40:47.000000000 +0200
12			+++ Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c 2005-10-17 00:23:50.000000000 +0200
13			@@ -119,6 +119,13 @@
14			}
15			}
16			}
17			+
18			+ if (SELINUX_ENABLED && geteuid() == 0) {
19			+ /* must set the real uid to 0 so the helper will not error
20			+ out if pam is called from setuid binary (su, sudo...) */
21			+ setuid(0);
22			+ }
23			+
24			/* exec binary helper */
25			args[0] = x_strdup(CHKPWD_HELPER);
26			args[1] = x_strdup(user);
27			--- Linux-PAM-0.77/modules/pam_unix/support.c.only-root 2005-10-07 18:40:47.000000000 +0200
28			+++ Linux-PAM-0.77/modules/pam_unix/support.c 2005-10-07 18:40:47.000000000 +0200
29			@@ -620,6 +620,13 @@
30			close(i);
31			}
32			}
33			+
34			+ if (SELINUX_ENABLED && geteuid() == 0) {
35			+ /* must set the real uid to 0 so the helper will not error
36			+ out if pam is called from setuid binary (su, sudo...) */
37			+ setuid(0);
38			+ }
39			+
40			/* exec binary helper */
41			args[0] = x_strdup(CHKPWD_HELPER);
42			args[1] = x_strdup(user);
43			--- Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c.only-root 2005-10-07 18:40:47.000000000 +0200
44			+++ Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c 2005-10-17 00:24:20.000000000 +0200
45			@@ -268,6 +268,13 @@
46			close(i);
47			}
48			}
49			+
50			+ if (SELINUX_ENABLED && geteuid() == 0) {
51			+ /* must set the real uid to 0 so the helper will not error
52			+ out if pam is called from setuid binary (su, sudo...) */
53			+ setuid(0);
54			+ }
55			+
56			/* exec binary helper */
57			args[0] = x_strdup(CHKPWD_HELPER);
58			args[1] = x_strdup(user);
59			--- Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c.only-root 2005-10-07 18:40:47.000000000 +0200
60			+++ Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c 2005-10-07 18:40:47.000000000 +0200
61			@@ -466,13 +466,12 @@
62			}
63
64			/*
65			- * determine the current user's name is.
66			- * On a SELinux enabled system, policy will prevent third parties from using
67			- * unix_chkpwd as a password guesser. Leaving the existing check prevents
68			- * su from working, Since the current uid is the users and the password is
69			- * for root.
70			+ * Determine what the current user's name is.
71			+ * On a SELinux enabled system with a strict policy leaving the
72			+ * existing check prevents shadow password authentication from working.
73			+ * We must thus skip the check if the real uid is 0.
74			*/
75			- if (SELINUX_ENABLED) {
76			+ if (SELINUX_ENABLED && getuid() == 0) {
77			user=argv[1];
78			}
79			else {
80			@@ -534,6 +533,7 @@
81			/* return pass or fail */
82
83			if ((retval != PAM_SUCCESS) \|\| force_failure) {
84			+ _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
85			return PAM_AUTH_ERR;
86			} else {
87			return PAM_SUCCESS;
88
89