summaryrefslogtreecommitdiffstats
path: root/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 12:01:37 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 12:01:37 +0000
commitdcd7a5748ef6820e3e0d386139d9dd946f0d71fa (patch)
tree66900ada5e764c3422a91836695cdef113bbb883 /debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
parentAdding upstream version 1.4.0. (diff)
downloadpam-dcd7a5748ef6820e3e0d386139d9dd946f0d71fa.tar.xz
pam-dcd7a5748ef6820e3e0d386139d9dd946f0d71fa.zip
Adding debian version 1.4.0-9+deb11u1.debian/1.4.0-9+deb11u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch')
-rw-r--r--debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch25
1 files changed, 25 insertions, 0 deletions
diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
new file mode 100644
index 0000000..11d4ee3
--- /dev/null
+++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch
@@ -0,0 +1,25 @@
+Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd
+helper could be sgid shadow instead of suid root, as it is in Debian and
+Ubuntu by default. Drop any sgid bits as well.
+
+Authors: Steve Langasek <vorlon@debian.org>,
+ Michael Spang <mspang@csclub.uwaterloo.ca>
+
+Upstream status: to be submitted
+
+Index: pam/modules/pam_unix/unix_chkpwd.c
+===================================================================
+--- pam.orig/modules/pam_unix/unix_chkpwd.c
++++ pam/modules/pam_unix/unix_chkpwd.c
+@@ -137,9 +137,10 @@
+ /* if the caller specifies the username, verify that user
+ matches it */
+ if (strcmp(user, argv[1])) {
++ gid_t gid = getgid();
+ user = argv[1];
+ /* no match -> permanently change to the real user and proceed */
+- if (setuid(getuid()) != 0)
++ if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0)
+ return PAM_AUTH_ERR;
+ }
+ }