|
|
@@ -0,0 +1,77 @@
|
|
|
+From b7b96362087414e52524d3d9d9b3faa21e1db620 Mon Sep 17 00:00:00 2001
|
|
|
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
|
+Date: Wed, 24 Jan 2024 18:57:42 +0100
|
|
|
+Subject: [PATCH] pam_unix: try to set uid to 0 for unix_chkpwd
|
|
|
+
|
|
|
+The geteuid check does not cover all cases. If a program runs with
|
|
|
+elevated capabilities like CAP_SETUID then we can still check
|
|
|
+credentials of other users.
|
|
|
+
|
|
|
+Keep logging for future analysis though.
|
|
|
+
|
|
|
+Resolves: https://github.com/linux-pam/linux-pam/issues/747
|
|
|
+Fixes: b3020da7da38 ("pam_unix/passverify: always run the helper to obtain shadow password file entries")
|
|
|
+
|
|
|
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
|
+
|
|
|
+Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/b7b96362087414e52524d3d9d9b3faa21e1db620]
|
|
|
+CVE: CVE-2024-10041
|
|
|
+Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
|
|
|
+---
|
|
|
+ modules/pam_unix/pam_unix_acct.c | 17 +++++++++--------
|
|
|
+ modules/pam_unix/support.c | 14 +++++++-------
|
|
|
+ 2 files changed, 16 insertions(+), 15 deletions(-)
|
|
|
+
|
|
|
+diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c
|
|
|
+index 8f5ed3e0df..7ffcb9e3f2 100644
|
|
|
+--- a/modules/pam_unix/pam_unix_acct.c
|
|
|
++++ b/modules/pam_unix/pam_unix_acct.c
|
|
|
+@@ -110,14 +110,15 @@ int _unix_run_verify_binary(pam_handle_t *pamh, unsigned long long ctrl,
|
|
|
+ _exit(PAM_AUTHINFO_UNAVAIL);
|
|
|
+ }
|
|
|
+
|
|
|
+- if (geteuid() == 0) {
|
|
|
+- /* must set the real uid to 0 so the helper will not error
|
|
|
+- out if pam is called from setuid binary (su, sudo...) */
|
|
|
+- if (setuid(0) == -1) {
|
|
|
+- pam_syslog(pamh, LOG_ERR, "setuid failed: %m");
|
|
|
+- printf("-1\n");
|
|
|
+- fflush(stdout);
|
|
|
+- _exit(PAM_AUTHINFO_UNAVAIL);
|
|
|
++ /* must set the real uid to 0 so the helper will not error
|
|
|
++ out if pam is called from setuid binary (su, sudo...) */
|
|
|
++ if (setuid(0) == -1) {
|
|
|
++ uid_t euid = geteuid();
|
|
|
++ pam_syslog(pamh, euid == 0 ? LOG_ERR : LOG_DEBUG, "setuid failed: %m");
|
|
|
++ if (euid == 0) {
|
|
|
++ printf("-1\n");
|
|
|
++ fflush(stdout);
|
|
|
++ _exit(PAM_AUTHINFO_UNAVAIL);
|
|
|
+ }
|
|
|
+ }
|
|
|
+
|
|
|
+diff --git a/modules/pam_unix/support.c b/modules/pam_unix/support.c
|
|
|
+index d391973f95..69811048e6 100644
|
|
|
+--- a/modules/pam_unix/support.c
|
|
|
++++ b/modules/pam_unix/support.c
|
|
|
+@@ -562,13 +562,13 @@ static int _unix_run_helper_binary(pam_handle_t *pamh, const char *passwd,
|
|
|
+ _exit(PAM_AUTHINFO_UNAVAIL);
|
|
|
+ }
|
|
|
+
|
|
|
+- if (geteuid() == 0) {
|
|
|
+- /* must set the real uid to 0 so the helper will not error
|
|
|
+- out if pam is called from setuid binary (su, sudo...) */
|
|
|
+- if (setuid(0) == -1) {
|
|
|
+- D(("setuid failed"));
|
|
|
+- _exit(PAM_AUTHINFO_UNAVAIL);
|
|
|
+- }
|
|
|
++ /* must set the real uid to 0 so the helper will not error
|
|
|
++ out if pam is called from setuid binary (su, sudo...) */
|
|
|
++ if (setuid(0) == -1) {
|
|
|
++ D(("setuid failed"));
|
|
|
++ if (geteuid() == 0) {
|
|
|
++ _exit(PAM_AUTHINFO_UNAVAIL);
|
|
|
++ }
|
|
|
+ }
|
|
|
+
|
|
|
+ /* exec binary helper */
|
Shubham Kulkarni