diff options
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/pam_unix/pam_unix_acct.c | 7 | ||||
| -rw-r--r-- | modules/pam_unix/pam_unix_passwd.c | 7 | ||||
| -rw-r--r-- | modules/pam_unix/support.c | 7 | ||||
| -rw-r--r-- | modules/pam_unix/unix_chkpwd.c | 12 |
4 files changed, 27 insertions, 6 deletions
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 324ab5ed..ec47d4b6 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -116,6 +116,13 @@ struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, cons } } } + + if (SELINUX_ENABLED && geteuid() == 0) { + /* must set the real uid to 0 so the helper will not error + out if pam is called from setuid binary (su, sudo...) */ + setuid(0); + } + /* exec binary helper */ args[0] = x_strdup(CHKPWD_HELPER); args[1] = x_strdup(user); diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c index 50a81e38..727f3b3b 100644 --- a/modules/pam_unix/pam_unix_passwd.c +++ b/modules/pam_unix/pam_unix_passwd.c @@ -263,6 +263,13 @@ static int _unix_run_shadow_binary(pam_handle_t *pamh, unsigned int ctrl, const close(i); } } + + if (SELINUX_ENABLED && geteuid() == 0) { + /* must set the real uid to 0 so the helper will not error + out if pam is called from setuid binary (su, sudo...) */ + setuid(0); + } + /* exec binary helper */ args[0] = x_strdup(CHKPWD_HELPER); args[1] = x_strdup(user); diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 3ed4b1f3..38a5d88b 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -521,6 +521,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, close(i); } } + + if (SELINUX_ENABLED && geteuid() == 0) { + /* must set the real uid to 0 so the helper will not error + out if pam is called from setuid binary (su, sudo...) */ + setuid(0); + } + /* exec binary helper */ args[0] = x_strdup(CHKPWD_HELPER); args[1] = x_strdup(user); diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index cc42c4df..b817f658 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -457,13 +457,12 @@ int main(int argc, char *argv[]) } /* - * determine the current user's name is. - * On a SELinux enabled system, policy will prevent third parties from using - * unix_chkpwd as a password guesser. Leaving the existing check prevents - * su from working, Since the current uid is the users and the password is - * for root. + * Determine what the current user's name is. + * On a SELinux enabled system with a strict policy leaving the + * existing check prevents shadow password authentication from working. + * We must thus skip the check if the real uid is 0. */ - if (SELINUX_ENABLED) { + if (SELINUX_ENABLED && getuid() == 0) { user=argv[1]; } else { @@ -525,6 +524,7 @@ int main(int argc, char *argv[]) /* return pass or fail */ if ((retval != PAM_SUCCESS) || force_failure) { + _log_err(LOG_NOTICE, "password check failed for user (%s)", user); return PAM_AUTH_ERR; } else { return PAM_SUCCESS; |