Relevant BUGIDs: Red Hat bz 168180

Purpose of commit: bugfix

Commit summary:
---------------
2005-10-26  Tomas Mraz  <t8m@centrum.cz>

        * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary),
        modules/pam_unix/pam_unix_passwd.c (_unix_run_shadow_binary),
        modules/pam_unix/support.c (_unix_run_shadow_binary_): Set real
        uid to 0 before executing the helper if SELinux is enabled.
        * modules/pam_unix/unix_chkpwd.c (main): Disable user check only
        if real uid is 0 (CVE-2005-2977). Log failed password check attempt.

1 files changed, 6 insertions, 6 deletions

diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c
index cc42c4df..b817f658 100644
--- a/modules/pam_unix/unix_chkpwd.c
+++ b/modules/pam_unix/unix_chkpwd.c
@@ -457,13 +457,12 @@ int main(int argc, char *argv[])
 	}
 
 	/*
-	 * determine the current user's name is.
-	 * On a SELinux enabled system, policy will prevent third parties from using
-	 * unix_chkpwd as a password guesser.  Leaving the existing check prevents
-	 * su from working,  Since the current uid is the users and the password is
-	 * for root.
+	 * Determine what the current user's name is.
+	 * On a SELinux enabled system with a strict policy leaving the
+	 * existing check prevents shadow password authentication from working.
+	 * We must thus skip the check if the real uid is 0.
 	 */
-	if (SELINUX_ENABLED) {
+	if (SELINUX_ENABLED && getuid() == 0) {
 	  user=argv[1];
 	}
 	else {
@@ -525,6 +524,7 @@ int main(int argc, char *argv[])
 	/* return pass or fail */
 
 	if ((retval != PAM_SUCCESS) || force_failure) {
+	    _log_err(LOG_NOTICE, "password check failed for user (%s)", user);
 	    return PAM_AUTH_ERR;
 	} else {
 	    return PAM_SUCCESS;