From f4b22a2f215f6f80558d9e4075c9de306c8b9953 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 16:22:53 +0200 Subject: Adding debian version 1.5.2-6+deb12u1. Signed-off-by: Daniel Baumann --- .../036_pam_wheel_getlogin_considered_harmful | 157 +++++++++++++++++++++ 1 file changed, 157 insertions(+) create mode 100644 debian/patches-applied/036_pam_wheel_getlogin_considered_harmful (limited to 'debian/patches-applied/036_pam_wheel_getlogin_considered_harmful') diff --git a/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful new file mode 100644 index 0000000..805c62f --- /dev/null +++ b/debian/patches-applied/036_pam_wheel_getlogin_considered_harmful @@ -0,0 +1,157 @@ +Patch for Debian bug #163787 et al + +Always use the process uid, not getlogin(), to identify an applicant in +pam_wheel; utmp may be wrong or may have no entry at all in the case of +an xterm + +Authors: Ben Collins + +Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net> + +Index: pam/modules/pam_wheel/pam_wheel.c +=================================================================== +--- pam.orig/modules/pam_wheel/pam_wheel.c ++++ pam/modules/pam_wheel/pam_wheel.c +@@ -47,9 +47,8 @@ + /* argument parsing */ + + #define PAM_DEBUG_ARG 0x0001 +-#define PAM_USE_UID_ARG 0x0002 +-#define PAM_TRUST_ARG 0x0004 +-#define PAM_DENY_ARG 0x0010 ++#define PAM_TRUST_ARG 0x0002 ++#define PAM_DENY_ARG 0x0004 + #define PAM_ROOT_ONLY_ARG 0x0020 + + static int +@@ -68,8 +67,7 @@ + + if (!strcmp(*argv,"debug")) + ctrl |= PAM_DEBUG_ARG; +- else if (!strcmp(*argv,"use_uid")) +- ctrl |= PAM_USE_UID_ARG; ++ else if (!strcmp(*argv,"use_uid")); /* ignored for compat. */ + else if (!strcmp(*argv,"trust")) + ctrl |= PAM_TRUST_ARG; + else if (!strcmp(*argv,"deny")) +@@ -118,39 +116,14 @@ + } + } + +- if (ctrl & PAM_USE_UID_ARG) { +- tpwd = pam_modutil_getpwuid (pamh, getuid()); +- if (tpwd == NULL) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; +- } +- fromsu = tpwd->pw_name; +- } else { +- fromsu = pam_modutil_getlogin(pamh); +- +- /* if getlogin fails try a fallback to PAM_RUSER */ +- if (fromsu == NULL) { +- const char *rhostname; +- +- retval = pam_get_item(pamh, PAM_RHOST, (const void **)&rhostname); +- if (retval != PAM_SUCCESS || rhostname == NULL) { +- retval = pam_get_item(pamh, PAM_RUSER, (const void **)&fromsu); +- } +- } +- +- if (fromsu != NULL) { +- tpwd = pam_modutil_getpwnam (pamh, fromsu); +- } +- +- if (fromsu == NULL || tpwd == NULL) { +- if (ctrl & PAM_DEBUG_ARG) { +- pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); +- } +- return PAM_SERVICE_ERR; ++ tpwd = pam_modutil_getpwuid (pamh, getuid()); ++ if (tpwd == NULL) { ++ if (ctrl & PAM_DEBUG_ARG) { ++ pam_syslog(pamh, LOG_NOTICE, "who is running me ?!"); + } ++ return PAM_SERVICE_ERR; + } ++ fromsu = tpwd->pw_name; + + /* + * At this point fromsu = username-of-invoker; tpwd = pwd ptr for fromsu +Index: pam/modules/pam_wheel/pam_wheel.8.xml +=================================================================== +--- pam.orig/modules/pam_wheel/pam_wheel.8.xml ++++ pam/modules/pam_wheel/pam_wheel.8.xml +@@ -33,9 +33,6 @@ + + trust + +- +- use_uid +- + + + +@@ -116,18 +113,6 @@ + + + +- +- +- +- +- +- +- The check will be done against the real uid of the calling process, +- instead of trying to obtain the user from the login session +- associated with the terminal in use. +- +- +- + + + +Index: pam/modules/pam_wheel/pam_wheel.8 +=================================================================== +--- pam.orig/modules/pam_wheel/pam_wheel.8 ++++ pam/modules/pam_wheel/pam_wheel.8 +@@ -31,7 +31,7 @@ + pam_wheel \- Only permit root access to members of group wheel + .SH "SYNOPSIS" + .HP \w'\fBpam_wheel\&.so\fR\ 'u +-\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] ++\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] + .SH "DESCRIPTION" + .PP + The pam_wheel PAM module is used to enforce the so\-called +@@ -72,11 +72,6 @@ + .RS 4 + The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. + .RE +-.PP +-\fBuse_uid\fR +-.RS 4 +-The check will be done against the real uid of the calling process, instead of trying to obtain the user from the login session associated with the terminal in use\&. +-.RE + .SH "MODULE TYPES PROVIDED" + .PP + The +Index: pam/modules/pam_wheel/README +=================================================================== +--- pam.orig/modules/pam_wheel/README ++++ pam/modules/pam_wheel/README +@@ -39,12 +39,6 @@ + modules the wheel members may be able to su to root without being prompted + for a passwd). + +-use_uid +- +- The check will be done against the real uid of the calling process, instead +- of trying to obtain the user from the login session associated with the +- terminal in use. +- + EXAMPLES + + The root account gains access by default (rootok), only wheel members can -- cgit v1.2.3