From 4e4d6bb78e3bd6430838d854832c58f104d5f559 Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Sun, 11 Feb 2001 06:33:53 +0000 Subject: Relevant BUGIDs: 112540 Purpose of commit: minor security bugfix Commit summary: --------------- Fixes for the password helper binaries. Before, there was no check that the password entered was actually that of the intended user being authenticated. Instead, the password was checked for the requesting user. While this disstinction sounds like a security hole, its actually not been a problem in practice. The helper binaries have only been used in the case that the application is not setuid-0 and as such even if an improper authentication succeeded, the application could not change its uid from that of the requesting user. --- modules/pam_unix/support.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'modules/pam_unix/support.c') diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c index 87a5d938..69071408 100644 --- a/modules/pam_unix/support.c +++ b/modules/pam_unix/support.c @@ -394,7 +394,8 @@ int _unix_blankpasswd(unsigned int ctrl, const char *name) #include #include -static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, unsigned int ctrl) +static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, + unsigned int ctrl, const char *user) { int retval, child, fds[2]; @@ -408,8 +409,8 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, unsig /* fork */ child = fork(); if (child == 0) { - static char *args[] = { NULL, NULL }; static char *envp[] = { NULL }; + char *args[] = { NULL, NULL, NULL }; /* XXX - should really tidy up PAM here too */ @@ -419,6 +420,8 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd, unsig /* exec binary helper */ args[0] = x_strdup(CHKPWD_HELPER); + args[1] = x_strdup(user); + execve(CHKPWD_HELPER, args, envp); /* should not get here: exit with error */ @@ -530,7 +533,7 @@ int _unix_verify_password(pam_handle_t * pamh, const char *name if (geteuid()) { /* we are not root perhaps this is the reason? Run helper */ D(("running helper binary")); - retval = _unix_run_helper_binary(pamh, p, ctrl); + retval = _unix_run_helper_binary(pamh, p, ctrl, name); if (pwd == NULL && !on(UNIX_AUDIT,ctrl) && retval != PAM_SUCCESS) { -- cgit v1.2.3