On Tue, Aug 25, 2009 at 7:42 PM, Steve Langasek<vor...@debian.org> wrote: > On Tue, Aug 25, 2009 at 07:13:55PM -0400, Michael Spang wrote: >> I see two solutions: > >> 1. Use setgid(getgid()) as suggested in the patch. This closely >> matches upstream. We'll end up returning PAM_AUTHINFO_UNAVAIL >> after getspnam() is called. > > What testing have you done of this approach? I agree that this appears to > be the right thing to do, and it holds up to my own analysis but it would be > great to have some empirical confirmation before I make the change.
I only verified it fixed the particular problem I was having does not occur after having made this change. Security-wise after dropping privileges unix_chkpwd won't be able to do anything the user himself could not, so I think we just have to make sure that part is correct. If I use the following patch: --- pam.deb.orig/modules/pam_unix/unix_chkpwd.c +++ pam.deb/modules/pam_unix/unix_chkpwd.c @@ -101,10 +101,10 @@ /* if the caller specifies the username, verify that user matches it */ if (strcmp(user, argv[1])) { - user = argv[1]; - /* no match -> permanently change to the real user and proceed */ - if (setuid(getuid()) != 0) - return PAM_AUTH_ERR; + gid_t gid = getgid(); + if (setregid(gid, gid) != 0) + return PAM_AUTH_ERR; + sleep(20); } } Then I can at least verify that all privileges are dropped: sid:1379:~% ps -eo ruser,euser,suser,rgroup,egroup,sgroup,args | grep chkpwd mspang mspang mspang mspang mspang mspang /sbin/unix_chkpwd testuser chkexpiry Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org