From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Wed, 24 Jan 2024 18:57:42 +0100
Subject: pam_unix: try to set uid to 0 for unix_chkpwd

The geteuid check does not cover all cases. If a program runs with
elevated capabilities like CAP_SETUID then we can still check
credentials of other users.

Keep logging for future analysis though.

Resolves: https://github.com/linux-pam/linux-pam/issues/747
Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 modules/pam_unix/pam_unix_acct.c | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

(limited to 'modules/pam_unix/pam_unix_acct.c')

diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 8f5ed3e0..7ffcb9e3 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
       _exit(PAM_AUTHINFO_UNAVAIL);
     }
 
-    if (geteuid() == 0) {
-      /* must set the real uid to 0 so the helper will not error
-         out if pam is called from setuid binary (su, sudo...) */
-      if (setuid(0) == -1) {
-          pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
-          printf("-1\n");
-          fflush(stdout);
-          _exit(PAM_AUTHINFO_UNAVAIL);
+    /* must set the real uid to 0 so the helper will not error
+       out if pam is called from setuid binary (su, sudo...) */
+    if (setuid(0) == -1) {
+      uid_t euid = geteuid();
+      pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m");
+      if (euid == 0) {
+	printf("-1\n");
+	fflush(stdout);
+	_exit(PAM_AUTHINFO_UNAVAIL);
       }
     }
 
-- 
cgit v1.2.3


From 4d1d4f699551f395be065e60513eaf85f01b84e6 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Wed, 21 Aug 2024 08:00:00 +0000
Subject: Include pam_i18n.h where i18n definitions are required

Do not include <libintl.h> and other i18n stuff via config.h which is
included into every compilation unit, include "pam_i18n.h" explicitly
where necessary.

* configure.ac (AH_BOTTOM): Remove.
* libpam/pam_get_authtok.c: Include "pam_i18n.h".
* libpam/pam_item.c: Likewise.
* libpam/pam_strerror.c: Likewise.
* libpam_misc/misc_conv.c: Likewise.
* modules/pam_exec/pam_exec.c: Likewise.
* modules/pam_faillock/main.c: Likewise.
* modules/pam_faillock/pam_faillock.c: Likewise.
* modules/pam_lastlog/pam_lastlog.c: Likewise.
* modules/pam_limits/pam_limits.c: Likewise.
* modules/pam_mail/pam_mail.c: Likewise.
* modules/pam_mkhomedir/pam_mkhomedir.c: Likewise.
* modules/pam_pwhistory/pam_pwhistory.c: Likewise.
* modules/pam_selinux/pam_selinux.c: Likewise.
* modules/pam_selinux/pam_selinux_check.c: Likewise.
* modules/pam_timestamp/pam_timestamp.c: Likewise.
* modules/pam_unix/pam_unix_acct.c: Likewise.
* modules/pam_unix/pam_unix_passwd.c: Likewise.
* modules/pam_userdb/pam_userdb.c: Likewise.
---
 configure.ac                            | 9 ---------
 libpam/pam_get_authtok.c                | 1 +
 libpam/pam_item.c                       | 1 +
 libpam/pam_start.c                      | 1 +
 libpam/pam_strerror.c                   | 1 +
 libpam_misc/misc_conv.c                 | 2 ++
 modules/pam_exec/pam_exec.c             | 1 +
 modules/pam_faillock/main.c             | 1 +
 modules/pam_faillock/pam_faillock.c     | 1 +
 modules/pam_lastlog/pam_lastlog.c       | 1 +
 modules/pam_limits/pam_limits.c         | 1 +
 modules/pam_mail/pam_mail.c             | 1 +
 modules/pam_mkhomedir/pam_mkhomedir.c   | 1 +
 modules/pam_pwhistory/pam_pwhistory.c   | 1 +
 modules/pam_selinux/pam_selinux.c       | 1 +
 modules/pam_selinux/pam_selinux_check.c | 2 ++
 modules/pam_timestamp/pam_timestamp.c   | 1 +
 modules/pam_unix/pam_unix_acct.c        | 1 +
 modules/pam_unix/pam_unix_passwd.c      | 1 +
 modules/pam_userdb/pam_userdb.c         | 1 +
 20 files changed, 21 insertions(+), 9 deletions(-)

(limited to 'modules/pam_unix/pam_unix_acct.c')

diff --git a/configure.ac b/configure.ac
index 0c5fd4cd..0bbf50ed 100644
--- a/configure.ac
+++ b/configure.ac
@@ -706,15 +706,6 @@ AM_GNU_GETTEXT([external])
 AC_CHECK_FUNCS(bindtextdomain)
 AC_CHECK_FUNCS(dngettext)
 
-AH_BOTTOM([#ifdef ENABLE_NLS
-#include <libintl.h>
-#define _(msgid) dgettext(PACKAGE, msgid)
-#define N_(msgid) msgid
-#else
-#define _(msgid) (msgid)
-#define N_(msgid) msgid
-#endif /* ENABLE_NLS */])
-
 dnl
 dnl Check for the availability of the kernel key management facility
 dnl - The pam_keyinit module only requires the syscalls, not the error codes
diff --git a/libpam/pam_get_authtok.c b/libpam/pam_get_authtok.c
index 7a38698a..c8973275 100644
--- a/libpam/pam_get_authtok.c
+++ b/libpam/pam_get_authtok.c
@@ -33,6 +33,7 @@
 
 #include "pam_private.h"
 #include "pam_inline.h"
+#include "pam_i18n.h"
 
 #include <security/pam_ext.h>
 
diff --git a/libpam/pam_item.c b/libpam/pam_item.c
index c3a5a3bd..2e43d767 100644
--- a/libpam/pam_item.c
+++ b/libpam/pam_item.c
@@ -6,6 +6,7 @@
 
 #include "pam_private.h"
 #include "pam_inline.h"
+#include "pam_i18n.h"
 
 #include <ctype.h>
 #include <stdlib.h>
diff --git a/libpam/pam_start.c b/libpam/pam_start.c
index ef9fdb02..97bc35b1 100644
--- a/libpam/pam_start.c
+++ b/libpam/pam_start.c
@@ -8,6 +8,7 @@
  */
 
 #include "pam_private.h"
+#include "pam_i18n.h"
 
 #include <ctype.h>
 #include <stdlib.h>
diff --git a/libpam/pam_strerror.c b/libpam/pam_strerror.c
index 17c81945..37f1e3b2 100644
--- a/libpam/pam_strerror.c
+++ b/libpam/pam_strerror.c
@@ -32,6 +32,7 @@
  */
 
 #include "pam_private.h"
+#include "pam_i18n.h"
 
 const char *pam_strerror(pam_handle_t *pamh UNUSED, int errnum)
 {
diff --git a/libpam_misc/misc_conv.c b/libpam_misc/misc_conv.c
index 6b839b48..fa3848e3 100644
--- a/libpam_misc/misc_conv.c
+++ b/libpam_misc/misc_conv.c
@@ -17,7 +17,9 @@
 
 #include <security/pam_appl.h>
 #include <security/pam_misc.h>
+
 #include "pam_inline.h"
+#include "pam_i18n.h"
 
 #define INPUTSIZE PAM_MISC_CONV_BUFSIZE      /* maximum length of input+1 */
 #define CONV_ECHO_ON  1                            /* types of echo state */
diff --git a/modules/pam_exec/pam_exec.c b/modules/pam_exec/pam_exec.c
index 5468e179..c3ecb248 100644
--- a/modules/pam_exec/pam_exec.c
+++ b/modules/pam_exec/pam_exec.c
@@ -55,6 +55,7 @@
 #include <security/pam_ext.h>
 #include <security/_pam_macros.h>
 #include "pam_inline.h"
+#include "pam_i18n.h"
 
 #define ENV_ITEM(n) { (n), #n }
 static struct {
diff --git a/modules/pam_faillock/main.c b/modules/pam_faillock/main.c
index 57989ba6..c6dd19cb 100644
--- a/modules/pam_faillock/main.c
+++ b/modules/pam_faillock/main.c
@@ -52,6 +52,7 @@
 #endif
 
 #include "pam_inline.h"
+#include "pam_i18n.h"
 #include "faillock.h"
 #include "faillock_config.h"
 
diff --git a/modules/pam_faillock/pam_faillock.c b/modules/pam_faillock/pam_faillock.c
index 038a95ea..93850380 100644
--- a/modules/pam_faillock/pam_faillock.c
+++ b/modules/pam_faillock/pam_faillock.c
@@ -54,6 +54,7 @@
 #include <security/pam_ext.h>
 
 #include "pam_inline.h"
+#include "pam_i18n.h"
 #include "faillock.h"
 #include "faillock_config.h"
 
diff --git a/modules/pam_lastlog/pam_lastlog.c b/modules/pam_lastlog/pam_lastlog.c
index 2daedb7c..ded76763 100644
--- a/modules/pam_lastlog/pam_lastlog.c
+++ b/modules/pam_lastlog/pam_lastlog.c
@@ -66,6 +66,7 @@ struct lastlog {
 #include <security/pam_modutil.h>
 #include <security/pam_ext.h>
 #include "pam_inline.h"
+#include "pam_i18n.h"
 
 /* argument parsing */
 
diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c
index 51276265..1197e25c 100644
--- a/modules/pam_limits/pam_limits.c
+++ b/modules/pam_limits/pam_limits.c
@@ -114,6 +114,7 @@ struct pam_limit_s {
 #include <security/pam_modutil.h>
 #include <security/pam_ext.h>
 #include "pam_inline.h"
+#include "pam_i18n.h"
 
 /* argument parsing */
 
diff --git a/modules/pam_mail/pam_mail.c b/modules/pam_mail/pam_mail.c
index 2b77e560..3202ce0c 100644
--- a/modules/pam_mail/pam_mail.c
+++ b/modules/pam_mail/pam_mail.c
@@ -35,6 +35,7 @@
 #include <security/pam_modutil.h>
 #include <security/pam_ext.h>
 #include "pam_inline.h"
+#include "pam_i18n.h"
 
 /* argument parsing */
 
diff --git a/modules/pam_mkhomedir/pam_mkhomedir.c b/modules/pam_mkhomedir/pam_mkhomedir.c
index 72fa7840..71d02b6d 100644
--- a/modules/pam_mkhomedir/pam_mkhomedir.c
+++ b/modules/pam_mkhomedir/pam_mkhomedir.c
@@ -51,6 +51,7 @@
 
 #include "pam_cc_compat.h"
 #include "pam_inline.h"
+#include "pam_i18n.h"
 
 /* argument parsing */
 #define MKHOMEDIR_DEBUG      020	/* be verbose about things */
diff --git a/modules/pam_pwhistory/pam_pwhistory.c b/modules/pam_pwhistory/pam_pwhistory.c
index 7ff74bdf..e43bd9b2 100644
--- a/modules/pam_pwhistory/pam_pwhistory.c
+++ b/modules/pam_pwhistory/pam_pwhistory.c
@@ -63,6 +63,7 @@
 
 #include "opasswd.h"
 #include "pam_inline.h"
+#include "pam_i18n.h"
 #include "pwhistory_config.h"
 
 
diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c
index b0123c8f..a9276123 100644
--- a/modules/pam_selinux/pam_selinux.c
+++ b/modules/pam_selinux/pam_selinux.c
@@ -57,6 +57,7 @@
 #include <security/pam_modutil.h>
 #include <security/pam_ext.h>
 #include "pam_inline.h"
+#include "pam_i18n.h"
 
 #include <selinux/selinux.h>
 #include <selinux/get_context_list.h>
diff --git a/modules/pam_selinux/pam_selinux_check.c b/modules/pam_selinux/pam_selinux_check.c
index 30526d37..753aa88f 100644
--- a/modules/pam_selinux/pam_selinux_check.c
+++ b/modules/pam_selinux/pam_selinux_check.c
@@ -55,6 +55,8 @@
 #include <security/pam_appl.h>    /* for PAM functions */
 #include <security/pam_misc.h>    /* for misc_conv PAM utility function */
 
+#include "pam_i18n.h"
+
 #define SERVICE_NAME "pam_selinux_check"   /* the name of this program for PAM */
 				  /* The file containing the context to run
 				   * the scripts under.                     */
diff --git a/modules/pam_timestamp/pam_timestamp.c b/modules/pam_timestamp/pam_timestamp.c
index edecc052..51fcd592 100644
--- a/modules/pam_timestamp/pam_timestamp.c
+++ b/modules/pam_timestamp/pam_timestamp.c
@@ -72,6 +72,7 @@
 #include <security/pam_ext.h>
 #include <security/pam_modutil.h>
 #include "pam_inline.h"
+#include "pam_i18n.h"
 
 /* The default timeout we use is 5 minutes, which matches the sudo default
  * for the timestamp_timeout parameter. */
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
index 7ffcb9e3..befd3c99 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -57,6 +57,7 @@
 #include <security/pam_ext.h>
 #include <security/pam_modutil.h>
 
+#include "pam_i18n.h"
 #include "pam_cc_compat.h"
 #include "support.h"
 #include "passverify.h"
diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c
index c3c6ea7a..4a3784a5 100644
--- a/modules/pam_unix/pam_unix_passwd.c
+++ b/modules/pam_unix/pam_unix_passwd.c
@@ -67,6 +67,7 @@
 #include <security/pam_modutil.h>
 
 #include "pam_inline.h"
+#include "pam_i18n.h"
 #include "pam_cc_compat.h"
 #include "md5.h"
 #include "support.h"
diff --git a/modules/pam_userdb/pam_userdb.c b/modules/pam_userdb/pam_userdb.c
index 3bcb4c87..40ede6de 100644
--- a/modules/pam_userdb/pam_userdb.c
+++ b/modules/pam_userdb/pam_userdb.c
@@ -41,6 +41,7 @@
 #include <security/pam_ext.h>
 #include <security/_pam_macros.h>
 #include "pam_inline.h"
+#include "pam_i18n.h"
 
 #ifndef HAVE_GDBM_H
 # define COND_UNUSED UNUSED
-- 
cgit v1.2.3