diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:22:53 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:22:53 +0000 |
commit | f4b22a2f215f6f80558d9e4075c9de306c8b9953 (patch) | |
tree | 05142dd668b11fc304d1c15faa52dee3784f8fa0 /debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch | |
parent | Adding upstream version 1.5.2. (diff) | |
download | pam-f4b22a2f215f6f80558d9e4075c9de306c8b9953.tar.xz pam-f4b22a2f215f6f80558d9e4075c9de306c8b9953.zip |
Adding debian version 1.5.2-6+deb12u1.debian/1.5.2-6+deb12u1debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch')
-rw-r--r-- | debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch new file mode 100644 index 0000000..6a9e525 --- /dev/null +++ b/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch @@ -0,0 +1,25 @@ +Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd +helper could be sgid shadow instead of suid root, as it is in Debian and +Ubuntu by default. Drop any sgid bits as well. + +Authors: Steve Langasek <vorlon@debian.org>, + Michael Spang <mspang@csclub.uwaterloo.ca> + +Upstream status: to be submitted + +Index: pam/modules/pam_unix/unix_chkpwd.c +=================================================================== +--- pam.orig/modules/pam_unix/unix_chkpwd.c ++++ pam/modules/pam_unix/unix_chkpwd.c +@@ -138,9 +138,10 @@ + /* if the caller specifies the username, verify that user + matches it */ + if (user == NULL || strcmp(user, argv[1])) { ++ gid_t gid = getgid(); + user = argv[1]; + /* no match -> permanently change to the real user and proceed */ +- if (setuid(getuid()) != 0) ++ if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0) + return PAM_AUTH_ERR; + } + } |