From b430e2d1c93414cb14e9a3557ac895e864138497 Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Thu, 4 Jan 2024 18:23:50 +0100 Subject: pam_unix: add audit support to unix_update(8) Emit audit reports in the helper unix_update(8) about abnormal executions, unprivileged authentications, and password updates. Also log unprivileged authentication failures to syslog. --- modules/pam_unix/unix_update.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'modules/pam_unix/unix_update.c') diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index 49a70ff3..4adaa5af 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -27,6 +27,10 @@ #include #include #include +#ifdef HAVE_LIBAUDIT +#include +#include "audit.h" +#endif #include #include @@ -80,7 +84,12 @@ set_password(const char *forwho, const char *shadow, const char *remember) We always allow change from null pass. */ if (getuid()) { retval = helper_verify_password(forwho, pass, 1); +#ifdef HAVE_LIBAUDIT + audit_log(AUDIT_USER_AUTH, getuidname(getuid()), retval); +#endif if (retval != PAM_SUCCESS) { + helper_log_err(LOG_NOTICE, "password check failed for user (%s)", + getuidname(getuid())); goto done; } } @@ -100,6 +109,11 @@ set_password(const char *forwho, const char *shadow, const char *remember) retval = unix_update_passwd(forwho, towhat); } +#ifdef HAVE_LIBAUDIT + audit_log(AUDIT_USER_CHAUTHTOK, getuidname(getuid()), retval); +#endif + + done: pam_overwrite_array(pass); pam_overwrite_array(towhat); @@ -135,6 +149,9 @@ int main(int argc, char *argv[]) helper_log_err(LOG_NOTICE ,"inappropriate use of Unix helper binary [UID=%d]" ,getuid()); +#ifdef HAVE_LIBAUDIT + audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); +#endif fprintf(stderr ,"This binary is not designed for running in this way\n" "-- the system administrator has been informed\n"); -- cgit v1.2.3 From b23d337b86488d23b2f77fc71a5de30348af671d Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Thu, 4 Jan 2024 18:23:57 +0100 Subject: pam_unix: reject unix_update(8) running on different unprivileged user In case unix_update(8) is installed as a setuid binary, which Fedora and Debian does not do, prevent unprivileged users to probe (and eventually change) passwords of other users (including root). --- modules/pam_unix/unix_update.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'modules/pam_unix/unix_update.c') diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index 4adaa5af..95e99494 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -42,6 +42,7 @@ static int set_password(const char *forwho, const char *shadow, const char *remember) { struct passwd *pwd = NULL; + uid_t ruid; int retval; char pass[PAM_MAX_RESP_SIZE + 1]; char towhat[PAM_MAX_RESP_SIZE + 1]; @@ -80,9 +81,18 @@ set_password(const char *forwho, const char *shadow, const char *remember) } /* If real caller uid is not root we must verify that - received old pass agrees with the current one. - We always allow change from null pass. */ - if (getuid()) { + * the target user is the caller and the + * received old pass agrees with the current one. + * We always allow change from null pass. */ + ruid = getuid(); + if (ruid != 0) { + if (pwd->pw_uid != ruid) { + helper_log_err(LOG_NOTICE, "user mismatch detected: source=%d target=%d", + ruid, pwd->pw_uid); + retval = PAM_AUTHTOK_ERR; + goto done; + } + retval = helper_verify_password(forwho, pass, 1); #ifdef HAVE_LIBAUDIT audit_log(AUDIT_USER_AUTH, getuidname(getuid()), retval); -- cgit v1.2.3 From b4a1c95102c7ba4e2e344fef0e2451aa6041c664 Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Tue, 16 Jan 2024 15:49:55 +0100 Subject: pam_unix: fix typos in comments --- modules/pam_unix/unix_chkpwd.c | 2 +- modules/pam_unix/unix_update.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'modules/pam_unix/unix_update.c') diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 43fcbd82..820136d5 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -78,7 +78,7 @@ int main(int argc, char *argv[]) /* * we establish that this program is running with non-tty stdin. * this is to discourage casual use. It does *NOT* prevent an - * intruder from repeatadly running this program to determine the + * intruder from repeatedly running this program to determine the * password of the current user (brute force attack, but one for * which the attacker must already have gained access to the user's * account). diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index 95e99494..e17d6f87 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -149,7 +149,7 @@ int main(int argc, char *argv[]) /* * we establish that this program is running with non-tty stdin. * this is to discourage casual use. It does *NOT* prevent an - * intruder from repeatadly running this program to determine the + * intruder from repeatedly running this program to determine the * password of the current user (brute force attack, but one for * which the attacker must already have gained access to the user's * account). -- cgit v1.2.3