packages/pam
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
pam/backport-Permit-unix_chkpwd-pam_unix.so-to-run-without-being-setuid-root.patch
dongyuzhen 26162d8876 fix CVE-2024-10041
2024-12-17 14:31:54 +08:00

59 lines
2.1 KiB
Diff
Raw Permalink Blame History

From f220cace205332a3dc34e7b37a85e7627e097e7d Mon Sep 17 00:00:00 2001
From: "Andrew G. Morgan" <morgan@kernel.org>
Date: Sat, 26 Jun 2021 14:18:08 -0700
Subject: [PATCH] Permit unix_chkpwd & pam_unix.so to run without being
setuid-root.
Remove the hard-coding of the idea that the only way pam_unix.so can
read the shadow file is if it can, in some way, run setuid-root.
Linux capabilities only require cap_dac_override to read the /etc/shadow
file.
This change achieves two things: it opens a path for a linux-pam
application to run without being setuid-root; further, it allows
unix_chkpwd to run non-setuid-root if it is installed:
sudo setcap cap_dac_override=ep unix_chkpwd
If we wanted to link against libcap, we could install this binary with
cap_dac_override=p, and use cap_set_proc() to raise the effective bit
at runtime. However, some distributions already link unix_chkpwd
against libcap-ng for some, likely spurious, reason so "ep" is fine
for now.
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Conflict:NA
Reference:https://github.com/linux-pam/linux-pam/commit/f220cace205332a3dc34e7b37a85e7627e097e7d
---
modules/pam_unix/passverify.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
index fc2eaff..5bb518e 100644
--- a/modules/pam_unix/passverify.c
+++ b/modules/pam_unix/passverify.c
@@ -243,12 +243,16 @@ PAMH_ARG_DECL(int get_account_info,
* ...and shadow password file entry for this user,
* if shadowing is enabled
*/
+ *spwdent = pam_modutil_getspnam(pamh, name);
+ if (*spwdent == NULL) {
#ifndef HELPER_COMPILE
- if (geteuid() || SELINUX_ENABLED)
- return PAM_UNIX_RUN_HELPER;
+ /* still a chance the user can authenticate */
+ if (errno == EACCES || SELINUX_ENABLED)
+ return PAM_UNIX_RUN_HELPER;
#endif
- *spwdent = pam_modutil_getspnam(pamh, name);
- if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
+ return PAM_AUTHINFO_UNAVAIL;
+ }
+ if ((*spwdent)->sp_pwdp == NULL)
return PAM_AUTHINFO_UNAVAIL;
}
} else {
--
2.46.0
Reference in New Issue View Git Blame Copy Permalink