Attachment #71286 for bug #109485

View | Details | Raw Unified | Return to bug 109485
Collapse All | Expand All

Lines 119-124 Link Here

(-)Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c.only-root (+7 lines)
119	}	119	}
120	}	120	}
121	}	121	}
		122
		123	if (SELINUX_ENABLED && geteuid() == 0) {
		124	/* must set the real uid to 0 so the helper will not error
		125	out if pam is called from setuid binary (su, sudo...) */
		126	setuid(0);
		127	}
		128
122	/* exec binary helper */	129	/* exec binary helper */
123	args[0] = x_strdup(CHKPWD_HELPER);	130	args[0] = x_strdup(CHKPWD_HELPER);
124	args[1] = x_strdup(user);	131	args[1] = x_strdup(user);

Lines 620-625 Link Here

(-)Linux-PAM-0.77/modules/pam_unix/support.c.only-root (+7 lines)
620	close(i);	620	close(i);
621	}	621	}
622	}	622	}
		623
		624	if (SELINUX_ENABLED && geteuid() == 0) {
		625	/* must set the real uid to 0 so the helper will not error
		626	out if pam is called from setuid binary (su, sudo...) */
		627	setuid(0);
		628	}
		629
623	/* exec binary helper */	630	/* exec binary helper */
624	args[0] = x_strdup(CHKPWD_HELPER);	631	args[0] = x_strdup(CHKPWD_HELPER);
625	args[1] = x_strdup(user);	632	args[1] = x_strdup(user);

Lines 268-273 Link Here

(-)Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c.only-root (+7 lines)
268	close(i);	268	close(i);
269	}	269	}
270	}	270	}
		271
		272	if (SELINUX_ENABLED && geteuid() == 0) {
		273	/* must set the real uid to 0 so the helper will not error
		274	out if pam is called from setuid binary (su, sudo...) */
		275	setuid(0);
		276	}
		277
271	/* exec binary helper */	278	/* exec binary helper */
272	args[0] = x_strdup(CHKPWD_HELPER);	279	args[0] = x_strdup(CHKPWD_HELPER);
273	args[1] = x_strdup(user);	280	args[1] = x_strdup(user);




	}

	/*
	 * Determine what the current user's name is.
	 * On a SELinux enabled system with a strict policy leaving the
	 * existing check prevents shadow password authentication from working.
	 * We must thus skip the check if the real uid is 0.
	 * for root.
	 */
	if (SELINUX_ENABLED && getuid() == 0) {
	  user=argv[1];
	} 
	else {

	/* return pass or fail */

	if ((retval != PAM_SUCCESS) || force_failure) {
	    _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
	    return PAM_AUTH_ERR;
	} else {
	    return PAM_SUCCESS;

Return to bug 109485

Lines 466-478 Link Here

(-)Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c.only-root (-6 / +6 lines)
466	}	466	}
467		467
468	/*	468	/*
469	* determine the current user's name is.	469	* Determine what the current user's name is.
470	* On a SELinux enabled system, policy will prevent third parties from using	470	* On a SELinux enabled system with a strict policy leaving the
471	* unix_chkpwd as a password guesser. Leaving the existing check prevents	471	* existing check prevents shadow password authentication from working.
472	* su from working, Since the current uid is the users and the password is	472	* We must thus skip the check if the real uid is 0.
473	* for root.
474	*/	473	*/
475	if (SELINUX_ENABLED) {	474	if (SELINUX_ENABLED && getuid() == 0) {
476	user=argv[1];	475	user=argv[1];
477	}	476	}
478	else {	477	else {
Lines 534-539 Link Here
534	/* return pass or fail */	533	/* return pass or fail */
535		534
536	if ((retval != PAM_SUCCESS) \|\| force_failure) {	535	if ((retval != PAM_SUCCESS) \|\| force_failure) {
		536	_log_err(LOG_NOTICE, "password check failed for user (%s)", user);
537	return PAM_AUTH_ERR;	537	return PAM_AUTH_ERR;
538	} else {	538	} else {
539	return PAM_SUCCESS;	539	return PAM_SUCCESS;