From dba185605b1f9ce2d8d7e90b956abe9fa0487f24 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Wed, 26 Oct 2005 19:05:32 +0000 Subject: Relevant BUGIDs: Red Hat bz 168180 Purpose of commit: bugfix Commit summary: --------------- 2005-10-26 Tomas Mraz * modules/pam_unix/pam_unix_acct.c (_unix_run_verify_binary), modules/pam_unix/pam_unix_passwd.c (_unix_run_shadow_binary), modules/pam_unix/support.c (_unix_run_shadow_binary_): Set real uid to 0 before executing the helper if SELinux is enabled. * modules/pam_unix/unix_chkpwd.c (main): Disable user check only if real uid is 0 (CVE-2005-2977). Log failed password check attempt. --- modules/pam_unix/unix_chkpwd.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'modules/pam_unix/unix_chkpwd.c') diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index cc42c4df..b817f658 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -457,13 +457,12 @@ int main(int argc, char *argv[]) } /* - * determine the current user's name is. - * On a SELinux enabled system, policy will prevent third parties from using - * unix_chkpwd as a password guesser. Leaving the existing check prevents - * su from working, Since the current uid is the users and the password is - * for root. + * Determine what the current user's name is. + * On a SELinux enabled system with a strict policy leaving the + * existing check prevents shadow password authentication from working. + * We must thus skip the check if the real uid is 0. */ - if (SELINUX_ENABLED) { + if (SELINUX_ENABLED && getuid() == 0) { user=argv[1]; } else { @@ -525,6 +524,7 @@ int main(int argc, char *argv[]) /* return pass or fail */ if ((retval != PAM_SUCCESS) || force_failure) { + _log_err(LOG_NOTICE, "password check failed for user (%s)", user); return PAM_AUTH_ERR; } else { return PAM_SUCCESS; -- cgit v1.2.3