Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 71286 Details for
Bug 109485
sys-libs/pam: unix_chkpwd doesn't verify requesting user with SELinux (CAN-2005-2977)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
pam-0.77-can-2005-2977.patch
pam-0.77-can-2005-2977.patch (text/plain), 3.07 KB, created by
Chris PeBenito (RETIRED)
on 2005-10-23 07:11:01 UTC
(
hide
)
Description:
pam-0.77-can-2005-2977.patch
Filename:
MIME Type:
Creator:
Chris PeBenito (RETIRED)
Created:
2005-10-23 07:11:01 UTC
Size:
3.07 KB
patch
obsolete
>When you set SELinux to permissive mode or the policy doesn't prevent >running unix_chkpwd as regular user it is possible to use unix_chkpwd >for checking any user's passwords from a regular user account. > >Because there is no delay and logging in unix_chkpwd it allows easy >brute-force attacks on passwords in /etc/shadow which probably >won't get noticed by administrator. > >This patch prevents this unwanted behaviour and also adds logging. > >--- Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c.only-root 2005-10-07 18:40:47.000000000 +0200 >+++ Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c 2005-10-17 00:23:50.000000000 +0200 >@@ -119,6 +119,13 @@ > } > } > } >+ >+ if (SELINUX_ENABLED && geteuid() == 0) { >+ /* must set the real uid to 0 so the helper will not error >+ out if pam is called from setuid binary (su, sudo...) */ >+ setuid(0); >+ } >+ > /* exec binary helper */ > args[0] = x_strdup(CHKPWD_HELPER); > args[1] = x_strdup(user); >--- Linux-PAM-0.77/modules/pam_unix/support.c.only-root 2005-10-07 18:40:47.000000000 +0200 >+++ Linux-PAM-0.77/modules/pam_unix/support.c 2005-10-07 18:40:47.000000000 +0200 >@@ -620,6 +620,13 @@ > close(i); > } > } >+ >+ if (SELINUX_ENABLED && geteuid() == 0) { >+ /* must set the real uid to 0 so the helper will not error >+ out if pam is called from setuid binary (su, sudo...) */ >+ setuid(0); >+ } >+ > /* exec binary helper */ > args[0] = x_strdup(CHKPWD_HELPER); > args[1] = x_strdup(user); >--- Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c.only-root 2005-10-07 18:40:47.000000000 +0200 >+++ Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c 2005-10-17 00:24:20.000000000 +0200 >@@ -268,6 +268,13 @@ > close(i); > } > } >+ >+ if (SELINUX_ENABLED && geteuid() == 0) { >+ /* must set the real uid to 0 so the helper will not error >+ out if pam is called from setuid binary (su, sudo...) */ >+ setuid(0); >+ } >+ > /* exec binary helper */ > args[0] = x_strdup(CHKPWD_HELPER); > args[1] = x_strdup(user); >--- Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c.only-root 2005-10-07 18:40:47.000000000 +0200 >+++ Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c 2005-10-07 18:40:47.000000000 +0200 >@@ -466,13 +466,12 @@ > } > > /* >- * determine the current user's name is. >- * On a SELinux enabled system, policy will prevent third parties from using >- * unix_chkpwd as a password guesser. Leaving the existing check prevents >- * su from working, Since the current uid is the users and the password is >- * for root. >+ * Determine what the current user's name is. >+ * On a SELinux enabled system with a strict policy leaving the >+ * existing check prevents shadow password authentication from working. >+ * We must thus skip the check if the real uid is 0. > */ >- if (SELINUX_ENABLED) { >+ if (SELINUX_ENABLED && getuid() == 0) { > user=argv[1]; > } > else { >@@ -534,6 +533,7 @@ > /* return pass or fail */ > > if ((retval != PAM_SUCCESS) || force_failure) { >+ _log_err(LOG_NOTICE, "password check failed for user (%s)", user); > return PAM_AUTH_ERR; > } else { > return PAM_SUCCESS;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 109485
: 71286