From f220cace205332a3dc34e7b37a85e7627e097e7d Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Sat, 26 Jun 2021 14:18:08 -0700 Subject: Permit unix_chkpwd & pam_unix.so to run without being setuid-root. Remove the hard-coding of the idea that the only way pam_unix.so can read the shadow file is if it can, in some way, run setuid-root. Linux capabilities only require cap_dac_override to read the /etc/shadow file. This change achieves two things: it opens a path for a linux-pam application to run without being setuid-root; further, it allows unix_chkpwd to run non-setuid-root if it is installed: sudo setcap cap_dac_override=ep unix_chkpwd If we wanted to link against libcap, we could install this binary with cap_dac_override=p, and use cap_set_proc() to raise the effective bit at runtime. However, some distributions already link unix_chkpwd against libcap-ng for some, likely spurious, reason so "ep" is fine for now. Signed-off-by: Andrew G. Morgan --- modules/pam_unix/passverify.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'modules/pam_unix/passverify.c') diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index e833402c..5460b057 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -241,12 +241,16 @@ PAMH_ARG_DECL(int get_account_info, * ...and shadow password file entry for this user, * if shadowing is enabled */ + *spwdent = pam_modutil_getspnam(pamh, name); + if (*spwdent == NULL) { #ifndef HELPER_COMPILE - if (geteuid() || SELINUX_ENABLED) - return PAM_UNIX_RUN_HELPER; + /* still a chance the user can authenticate */ + if (errno == EACCES || SELINUX_ENABLED) + return PAM_UNIX_RUN_HELPER; #endif - *spwdent = pam_modutil_getspnam(pamh, name); - if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL) + return PAM_AUTHINFO_UNAVAIL; + } + if ((*spwdent)->sp_pwdp == NULL) return PAM_AUTHINFO_UNAVAIL; } } else { -- cgit v1.2.3