Relevant BUGIDs: 112540

Purpose of commit: minor security bugfix

Commit summary:
---------------
Fixes for the password helper binaries.
Before, there was no check that the password entered was actually that
of the intended user being authenticated. Instead, the password was
checked for the requesting user. While this disstinction sounds like a
security hole, its actually not been a problem in practice. The helper
binaries have only been used in the case that the application is not
setuid-0 and as such even if an improper authentication succeeded, the
application could not change its uid from that of the requesting user.

1 files changed, 2 insertions, 1 deletions

diff --git a/modules/pam_unix/Makefile b/modules/pam_unix/Makefile
index dc0b6ac2..e627d728 100644
--- a/modules/pam_unix/Makefile
+++ b/modules/pam_unix/Makefile
@@ -148,7 +148,8 @@ ifdef DYNAMIC
 	for x in pam_unix_auth pam_unix_acct pam_unix_passwd pam_unix_session;\
 		do ln -sf $(LIBSHARED) $(FAKEROOT)$(SECUREDIR)/$$x.so ; done
 endif
-	install $(CHKPWD) $(FAKEROOT)$(SUPLEMENTED)
+	$(MKDIR) $(FAKEROOT)$(SUPLEMENTED)
+	install -m 4555 $(CHKPWD) $(FAKEROOT)$(SUPLEMENTED)
 
 remove:
 	rm -f $(FAKEROOT)$(SECUREDIR)/$(LIBSHARED)