From b23d337b86488d23b2f77fc71a5de30348af671d Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Thu, 4 Jan 2024 18:23:57 +0100 Subject: pam_unix: reject unix_update(8) running on different unprivileged user In case unix_update(8) is installed as a setuid binary, which Fedora and Debian does not do, prevent unprivileged users to probe (and eventually change) passwords of other users (including root). --- modules/pam_unix/unix_update.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'modules/pam_unix') diff --git a/modules/pam_unix/unix_update.c b/modules/pam_unix/unix_update.c index 4adaa5af..95e99494 100644 --- a/modules/pam_unix/unix_update.c +++ b/modules/pam_unix/unix_update.c @@ -42,6 +42,7 @@ static int set_password(const char *forwho, const char *shadow, const char *remember) { struct passwd *pwd = NULL; + uid_t ruid; int retval; char pass[PAM_MAX_RESP_SIZE + 1]; char towhat[PAM_MAX_RESP_SIZE + 1]; @@ -80,9 +81,18 @@ set_password(const char *forwho, const char *shadow, const char *remember) } /* If real caller uid is not root we must verify that - received old pass agrees with the current one. - We always allow change from null pass. */ - if (getuid()) { + * the target user is the caller and the + * received old pass agrees with the current one. + * We always allow change from null pass. */ + ruid = getuid(); + if (ruid != 0) { + if (pwd->pw_uid != ruid) { + helper_log_err(LOG_NOTICE, "user mismatch detected: source=%d target=%d", + ruid, pwd->pw_uid); + retval = PAM_AUTHTOK_ERR; + goto done; + } + retval = helper_verify_password(forwho, pass, 1); #ifdef HAVE_LIBAUDIT audit_log(AUDIT_USER_AUTH, getuidname(getuid()), retval); -- cgit v1.2.3