pam_unix: try to set uid to 0 for unix_chkpwd

The geteuid check does not cover all cases. If a program runs with
elevated capabilities like CAP_SETUID then we can still check
credentials of other users.

Keep logging for future analysis though.

Resolves: https://github.com/linux-pam/linux-pam/issues/747
Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>

1 files changed, 9 insertions, 8 deletions

diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 8f5ed3e0..7ffcb9e3 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
       _exit(PAM_AUTHINFO_UNAVAIL);
     }
 
-    if (geteuid() == 0) {
-      /* must set the real uid to 0 so the helper will not error
-         out if pam is called from setuid binary (su, sudo...) */
-      if (setuid(0) == -1) {
-          pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
-          printf("-1\n");
-          fflush(stdout);
-          _exit(PAM_AUTHINFO_UNAVAIL);
+    /* must set the real uid to 0 so the helper will not error
+       out if pam is called from setuid binary (su, sudo...) */
+    if (setuid(0) == -1) {
+      uid_t euid = geteuid();
+      pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m");
+      if (euid == 0) {
+	printf("-1\n");
+	fflush(stdout);
+	_exit(PAM_AUTHINFO_UNAVAIL);
       }
     }