45 lines
1.7 KiB
Diff
45 lines
1.7 KiB
Diff
From 470823c4aacef5cb3b1180be6ed70846b61a3752 Mon Sep 17 00:00:00 2001
|
|
From: "Dmitry V. Levin" <ldv@altlinux.org>
|
|
Date: Thu, 19 Aug 2021 08:00:00 +0000
|
|
Subject: [PATCH] pam_unix: workaround the problem caused by libnss_systemd
|
|
|
|
The getspnam(3) manual page says that errno shall be set to EACCES when
|
|
the caller does not have permission to access the shadow password file.
|
|
Unfortunately, this contract is broken when libnss_systemd is used in
|
|
the nss stack.
|
|
|
|
Workaround this problem by falling back to the helper invocation when
|
|
pam_modutil_getspnam returns NULL regardless of errno. As pam_unix
|
|
already behaves this way when selinux is enabled, it should be OK
|
|
for the case when selinux is not enabled, too.
|
|
|
|
* modules/pam_unix/passverify.c (get_account_info): When
|
|
pam_modutil_getspnam returns NULL, unconditionally fall back
|
|
to the helper invocation.
|
|
|
|
Complements: f220cace2053 ("Permit unix_chkpwd & pam_unix.so to run without being setuid-root")
|
|
Resolves: https://github.com/linux-pam/linux-pam/issues/379
|
|
|
|
Conflict:NA
|
|
Reference:https://github.com/linux-pam/linux-pam/commit/470823c4aacef5cb3b1180be6ed70846b61a3752
|
|
---
|
|
modules/pam_unix/passverify.c | 3 +--
|
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
|
|
|
diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c
|
|
index 5bb518e..eb0fa74 100644
|
|
--- a/modules/pam_unix/passverify.c
|
|
+++ b/modules/pam_unix/passverify.c
|
|
@@ -247,8 +247,7 @@ PAMH_ARG_DECL(int get_account_info,
|
|
if (*spwdent == NULL) {
|
|
#ifndef HELPER_COMPILE
|
|
/* still a chance the user can authenticate */
|
|
- if (errno == EACCES || SELINUX_ENABLED)
|
|
- return PAM_UNIX_RUN_HELPER;
|
|
+ return PAM_UNIX_RUN_HELPER;
|
|
#endif
|
|
return PAM_AUTHINFO_UNAVAIL;
|
|
}
|
|
--
|
|
2.46.0
|