1 files changed, 0 insertions, 32 deletions

diff --git a/debian/patches/pam_unix_dont_trust_chkpwd_caller.patch b/debian/patches/pam_unix_dont_trust_chkpwd_caller.patch
deleted file mode 100644
index 5a94c25d..00000000
--- a/debian/patches/pam_unix_dont_trust_chkpwd_caller.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From: Sam Hartman <hartmans@debian.org>
-Date: Mon, 11 Sep 2023 14:00:42 -0600
-Subject: pam_unix_dont_trust_chkpwd_caller
-
-Dropping suid bits is not enough to let us trust the caller; the unix_chkpwd
-helper could be sgid shadow instead of suid root, as it is in Debian and
-Ubuntu by default.  Drop any sgid bits as well.
-
-Authors: Steve Langasek <vorlon@debian.org>,
-         Michael Spang <mspang@csclub.uwaterloo.ca>
-
-Upstream status: to be submitted
----
- modules/pam_unix/unix_chkpwd.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c
-index 556a2e2..5e7b571 100644
---- a/modules/pam_unix/unix_chkpwd.c
-+++ b/modules/pam_unix/unix_chkpwd.c
-@@ -138,9 +138,10 @@ int main(int argc, char *argv[])
- 	  /* if the caller specifies the username, verify that user
- 	     matches it */
- 	  if (user == NULL || strcmp(user, argv[1])) {
-+	    gid_t gid = getgid();
- 	    user = argv[1];
- 	    /* no match -> permanently change to the real user and proceed */
--	    if (setuid(getuid()) != 0)
-+	    if (setresgid(gid, gid, gid) != 0 || setuid(getuid()) != 0)
- 		return PAM_AUTH_ERR;
- 	  }
- 	}