59 lines
2.1 KiB
Diff
59 lines
2.1 KiB
Diff
From f220cace205332a3dc34e7b37a85e7627e097e7d Mon Sep 17 00:00:00 2001
|
|
From: "Andrew G. Morgan" <morgan@kernel.org>
|
|
Date: Sat, 26 Jun 2021 14:18:08 -0700
|
|
Subject: [PATCH] Permit unix_chkpwd & pam_unix.so to run without being
|
|
setuid-root.
|
|
|
|
Remove the hard-coding of the idea that the only way pam_unix.so can
|
|
read the shadow file is if it can, in some way, run setuid-root.
|
|
Linux capabilities only require cap_dac_override to read the /etc/shadow
|
|
file.
|
|
|
|
This change achieves two things: it opens a path for a linux-pam
|
|
application to run without being setuid-root; further, it allows
|
|
unix_chkpwd to run non-setuid-root if it is installed:
|
|
|
|
sudo setcap cap_dac_override=ep unix_chkpwd
|
|
|
|
If we wanted to link against libcap, we could install this binary with
|
|
cap_dac_override=p, and use cap_set_proc() to raise the effective bit
|
|
at runtime. However, some distributions already link unix_chkpwd
|
|
against libcap-ng for some, likely spurious, reason so "ep" is fine
|
|
for now.
|
|
|
|
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
|
|
|
|
Conflict:NA
|
|
Reference:https://github.com/linux-pam/linux-pam/commit/f220cace205332a3dc34e7b37a85e7627e097e7d
|
|
---
|
|
modules/pam_unix/passverify.c | 12 ++++++++----
|
|
1 file changed, 8 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
|
index fc2eaff..5bb518e 100644
|
|
--- a/modules/pam_unix/passverify.c
|
|
+++ b/modules/pam_unix/passverify.c
|
|
@@ -243,12 +243,16 @@ PAMH_ARG_DECL(int get_account_info,
|
|
* ...and shadow password file entry for this user,
|
|
* if shadowing is enabled
|
|
*/
|
|
+ *spwdent = pam_modutil_getspnam(pamh, name);
|
|
+ if (*spwdent == NULL) {
|
|
#ifndef HELPER_COMPILE
|
|
- if (geteuid() || SELINUX_ENABLED)
|
|
- return PAM_UNIX_RUN_HELPER;
|
|
+ /* still a chance the user can authenticate */
|
|
+ if (errno == EACCES || SELINUX_ENABLED)
|
|
+ return PAM_UNIX_RUN_HELPER;
|
|
#endif
|
|
- *spwdent = pam_modutil_getspnam(pamh, name);
|
|
- if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
|
|
+ return PAM_AUTHINFO_UNAVAIL;
|
|
+ }
|
|
+ if ((*spwdent)->sp_pwdp == NULL)
|
|
return PAM_AUTHINFO_UNAVAIL;
|
|
}
|
|
} else {
|
|
--
|
|
2.46.0
|