On Tue, Aug 25, 2009 at 7:42 PM, Steve Langasek<vor...@debian.org> wrote:
> On Tue, Aug 25, 2009 at 07:13:55PM -0400, Michael Spang wrote:
>> I see two solutions:
>
>> 1. Use setgid(getgid()) as suggested in the patch. This closely
>> matches upstream. We'll end up returning PAM_AUTHINFO_UNAVAIL
>> after getspnam() is called.
>
> What testing have you done of this approach? I agree that this appears to
> be the right thing to do, and it holds up to my own analysis but it would be
> great to have some empirical confirmation before I make the change.
I only verified it fixed the particular problem I was having does not
occur after having made this change. Security-wise after dropping
privileges unix_chkpwd won't be able to do anything the user himself
could not, so I think we just have to make sure that part is correct.
If I use the following patch:
--- pam.deb.orig/modules/pam_unix/unix_chkpwd.c
+++ pam.deb/modules/pam_unix/unix_chkpwd.c
@@ -101,10 +101,10 @@
/* if the caller specifies the username, verify that user
matches it */
if (strcmp(user, argv[1])) {
- user = argv[1];
- /* no match -> permanently change to the real user and proceed */
- if (setuid(getuid()) != 0)
- return PAM_AUTH_ERR;
+ gid_t gid = getgid();
+ if (setregid(gid, gid) != 0)
+ return PAM_AUTH_ERR;
+ sleep(20);
}
}
Then I can at least verify that all privileges are dropped:
sid:1379:~% ps -eo ruser,euser,suser,rgroup,egroup,sgroup,args | grep chkpwd
mspang mspang mspang mspang mspang mspang
/sbin/unix_chkpwd testuser chkexpiry
Michael
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
