pam_unix: reject unix_update(8) running on different unprivileged user

In case unix_update(8) is installed as a setuid binary, which Fedora and
Debian does not do, prevent unprivileged users to probe (and eventually
change) passwords of other users (including root).

1 files changed, 13 insertions, 3 deletions

diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c
index 4adaa5af..95e99494 100644
--- a/modules/pam_unix/unix_update.c
+++ b/modules/pam_unix/unix_update.c
@@ -42,6 +42,7 @@ static int
 set_password(const char *forwho, const char *shadow, const char *remember)
 {
     struct passwd *pwd = NULL;
+    uid_t ruid;
     int retval;
     char pass[PAM_MAX_RESP_SIZE + 1];
     char towhat[PAM_MAX_RESP_SIZE + 1];
@@ -80,9 +81,18 @@ set_password(const char *forwho, const char *shadow, const char *remember)
     }
 
     /* If real caller uid is not root we must verify that
-       received old pass agrees with the current one.
-       We always allow change from null pass. */
-    if (getuid()) {
+     * the target user is the caller and the
+     * received old pass agrees with the current one.
+     * We always allow change from null pass. */
+    ruid = getuid();
+    if (ruid != 0) {
+	if (pwd->pw_uid != ruid) {
+	    helper_log_err(LOG_NOTICE, "user mismatch detected: source=%d target=%d",
+	                   ruid, pwd->pw_uid);
+	    retval = PAM_AUTHTOK_ERR;
+	    goto done;
+	}
+
 	retval = helper_verify_password(forwho, pass, 1);
 #ifdef HAVE_LIBAUDIT
 	audit_log(AUDIT_USER_AUTH, getuidname(getuid()), retval);