From 8e577fb4c55674260143a325c01f47d8dff712af Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Thu, 4 Jan 2024 18:23:58 +0100 Subject: pam_unix: support setgid version of unix_chkpwd(8) In case unix_chkpwd(8) is not a setuid but a setgid binary, reset to the real group as well. Also check the privileges are permanently lost, see: https://wiki.sei.cmu.edu/confluence/display/c/POS37-C.+Ensure+that+privilege+relinquishment+is+successful See also the current Debian patch: https://sources.debian.org/src/pam/1.5.2-9.1/debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch/ --- modules/pam_unix/unix_chkpwd.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'modules/pam_unix') diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 5f47133c..43fcbd82 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -110,8 +110,13 @@ int main(int argc, char *argv[]) /* if the caller specifies the username, verify that user matches it */ if (user == NULL || strcmp(user, argv[1])) { - /* no match -> permanently change to the real user and proceed */ - if (setuid(getuid()) != 0) + uid_t ruid = getuid(); + gid_t rgid = getgid(); + + /* no match -> permanently change to the real user and group, + * check for no-return, and proceed */ + if (setgid(rgid) != 0 || setuid(ruid) != 0 || + (rgid != 0 && setgid(0) != -1) || (ruid != 0 && setuid(0) != -1)) return PAM_AUTH_ERR; } user = argv[1]; -- cgit v1.2.3