Attachment 71286 Details for Bug 109485 – pam-0.77-can-2005-2977.patch

[patch] pam-0.77-can-2005-2977.patch

pam-0.77-can-2005-2977.patch (text/plain), 3.07 KB, created by Chris PeBenito (RETIRED) on 2005-10-23 07:11:01 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Chris PeBenito (RETIRED)

Created: 2005-10-23 07:11:01 UTC

Size: 3.07 KB

patch

obsolete

>When you set SELinux to permissive mode or the policy doesn't prevent
>running unix_chkpwd as regular user it is possible to use unix_chkpwd
>for checking any user's passwords from a regular user account.
>
>Because there is no delay and logging in unix_chkpwd it allows easy
>brute-force attacks on passwords in /etc/shadow which probably
>won't get noticed by administrator.
>
>This patch prevents this unwanted behaviour and also adds logging.
>
>--- Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c.only-root	2005-10-07 18:40:47.000000000 +0200
>+++ Linux-PAM-0.77/modules/pam_unix/pam_unix_acct.c	2005-10-17 00:23:50.000000000 +0200
>@@ -119,6 +119,13 @@
> 	}
>       }	
>     }
>+
>+    if (SELINUX_ENABLED && geteuid() == 0) {
>+      /* must set the real uid to 0 so the helper will not error
>+         out if pam is called from setuid binary (su, sudo...) */
>+      setuid(0);
>+    }
>+
>     /* exec binary helper */
>     args[0] = x_strdup(CHKPWD_HELPER);
>     args[1] = x_strdup(user);
>--- Linux-PAM-0.77/modules/pam_unix/support.c.only-root	2005-10-07 18:40:47.000000000 +0200
>+++ Linux-PAM-0.77/modules/pam_unix/support.c	2005-10-07 18:40:47.000000000 +0200
>@@ -620,6 +620,13 @@
> 	  	   close(i);
> 	  }	
> 	}
>+
>+	if (SELINUX_ENABLED && geteuid() == 0) {
>+          /* must set the real uid to 0 so the helper will not error
>+	     out if pam is called from setuid binary (su, sudo...) */
>+	  setuid(0);
>+	}
>+	
> 	/* exec binary helper */
> 	args[0] = x_strdup(CHKPWD_HELPER);
> 	args[1] = x_strdup(user);
>--- Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c.only-root	2005-10-07 18:40:47.000000000 +0200
>+++ Linux-PAM-0.77/modules/pam_unix/pam_unix_passwd.c	2005-10-17 00:24:20.000000000 +0200
>@@ -268,6 +268,13 @@
> 	  	   close(i);
> 	  }	
> 	}
>+
>+        if (SELINUX_ENABLED && geteuid() == 0) {
>+          /* must set the real uid to 0 so the helper will not error
>+             out if pam is called from setuid binary (su, sudo...) */
>+          setuid(0);
>+        }
>+
> 	/* exec binary helper */
> 	args[0] = x_strdup(CHKPWD_HELPER);
> 	args[1] = x_strdup(user);
>--- Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c.only-root	2005-10-07 18:40:47.000000000 +0200
>+++ Linux-PAM-0.77/modules/pam_unix/unix_chkpwd.c	2005-10-07 18:40:47.000000000 +0200
>@@ -466,13 +466,12 @@
> 	}
> 
> 	/*
>-	 * determine the current user's name is.
>-	 * On a SELinux enabled system, policy will prevent third parties from using
>-	 * unix_chkpwd as a password guesser.  Leaving the existing check prevents
>-	 * su from working,  Since the current uid is the users and the password is
>-	 * for root.
>+	 * Determine what the current user's name is.
>+	 * On a SELinux enabled system with a strict policy leaving the
>+	 * existing check prevents shadow password authentication from working.
>+	 * We must thus skip the check if the real uid is 0.
> 	 */
>-	if (SELINUX_ENABLED) {
>+	if (SELINUX_ENABLED && getuid() == 0) {
> 	  user=argv[1];
> 	} 
> 	else {
>@@ -534,6 +533,7 @@
> 	/* return pass or fail */
> 
> 	if ((retval != PAM_SUCCESS) || force_failure) {
>+	    _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
> 	    return PAM_AUTH_ERR;
> 	} else {
> 	    return PAM_SUCCESS;

Actions: View | Diff

Attachments on bug 109485: 71286