diff --git a/pam-0.99.10.0-unix-any-user.patch b/pam-0.99.10.0-unix-any-user.patch new file mode 100644 index 0000000..039561c --- /dev/null +++ b/pam-0.99.10.0-unix-any-user.patch @@ -0,0 +1,15 @@ +diff -up Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.any-user Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c +--- Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.any-user 2008-01-28 13:21:48.000000000 +0100 ++++ Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c 2008-02-21 14:06:56.000000000 +0100 +@@ -101,7 +101,10 @@ int main(int argc, char *argv[]) + /* if the caller specifies the username, verify that user + matches it */ + if (strcmp(user, argv[1])) { +- return PAM_AUTH_ERR; ++ user = argv[1]; ++ /* no match -> permanently change to the real user and proceed */ ++ if (setuid(getuid()) != 0) ++ return PAM_AUTH_ERR; + } + } + diff --git a/pam-0.99.10.0-unix-audit-failed.patch b/pam-0.99.10.0-unix-audit-failed.patch new file mode 100644 index 0000000..6f24159 --- /dev/null +++ b/pam-0.99.10.0-unix-audit-failed.patch @@ -0,0 +1,103 @@ +diff -up Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am.audit-failed Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am +--- Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am.audit-failed 2008-02-06 15:21:34.000000000 +0100 ++++ Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am 2008-02-22 16:11:02.000000000 +0100 +@@ -53,7 +53,7 @@ unix_chkpwd_SOURCES = unix_chkpwd.c md5_ + passverify.c + unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\" + unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ +-unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ ++unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@ + + unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \ + passverify.c +diff -up Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.audit-failed Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c +--- Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.audit-failed 2008-02-22 15:39:03.000000000 +0100 ++++ Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c 2008-02-22 16:34:29.000000000 +0100 +@@ -24,6 +24,10 @@ + #include + #include + #include ++#include ++#ifdef HAVE_LIBAUDIT ++#include ++#endif + + #include + #include +@@ -54,6 +58,37 @@ static int _check_expiry(const char *una + return retval; + } + ++static int _audit_log(int type, const char *uname, int rc) ++{ ++#ifdef HAVE_LIBAUDIT ++ int audit_fd; ++ ++ audit_fd = audit_open(); ++ if (audit_fd < 0) { ++ /* You get these error codes only when the kernel doesn't have ++ * audit compiled in. */ ++ if (errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT) ++ return PAM_SUCCESS; ++ ++ helper_log_err(LOG_CRIT, "audit_open() failed: %m"); ++ return PAM_AUTH_ERR; ++ } ++ ++ rc = audit_log_acct_message(audit_fd, type, NULL, "PAM:unix_chkpwd", ++ uname, -1, NULL, NULL, NULL, rc == PAM_SUCCESS); ++ if (rc == -EPERM && geteuid() != 0) { ++ rc = 0; ++ } ++ ++ audit_close(audit_fd); ++ ++ return rc < 0 ? PAM_AUTH_ERR : PAM_SUCCESS; ++#else ++ return PAM_SUCCESS; ++#endif ++} ++ + int main(int argc, char *argv[]) + { + char pass[MAXPASS + 1]; +@@ -82,6 +117,7 @@ int main(int argc, char *argv[]) + helper_log_err(LOG_NOTICE + ,"inappropriate use of Unix helper binary [UID=%d]" + ,getuid()); ++ _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); + fprintf(stderr + ,"This binary is not designed for running in this way\n" + "-- the system administrator has been informed\n"); +@@ -118,9 +154,10 @@ int main(int argc, char *argv[]) + nullok = 1; + else if (strcmp(option, "nonull") == 0) + nullok = 0; +- else ++ else { ++ _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR); + return PAM_SYSTEM_ERR; +- ++ } + /* read the password from stdin (a pipe from the pam_unix module) */ + + npass = read_passwords(STDIN_FILENO, 1, passwords); +@@ -141,11 +178,16 @@ int main(int argc, char *argv[]) + /* return pass or fail */ + + if (retval != PAM_SUCCESS) { +- if (!nullok || !blankpass) ++ if (!nullok || !blankpass) { + /* no need to log blank pass test */ ++ if (getuid() != 0) ++ _audit_log(AUDIT_USER_AUTH, user, PAM_AUTH_ERR); + helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user); ++ } + return PAM_AUTH_ERR; + } else { ++ if (getuid() != 0) ++ return _audit_log(AUDIT_USER_AUTH, user, PAM_SUCCESS); + return PAM_SUCCESS; + } + } diff --git a/pam.spec b/pam.spec index 7504709..c7b8a6c 100644 --- a/pam.spec +++ b/pam.spec @@ -5,7 +5,7 @@ Summary: A security tool which provides authentication for applications Name: pam Version: 0.99.10.0 -Release: 1%{?dist} +Release: 2%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+, # pam_rhosts_auth module is BSD with advertising @@ -26,6 +26,8 @@ Patch1: pam-0.99.7.0-redhat-modules.patch Patch2: db-4.6.18-glibc.patch Patch4: pam-0.99.8.1-dbpam.patch Patch5: pam-0.99.8.1-audit-no-log.patch +Patch20: pam-0.99.10.0-unix-any-user.patch +Patch21: pam-0.99.10.0-unix-audit-failed.patch Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch Patch32: pam-0.99.3.0-tally-fail-close.patch Patch42: pam-0.99.8.1-console-hal-handled.patch @@ -100,6 +102,8 @@ pushd db-%{db_version} popd %patch4 -p1 -b .dbpam %patch5 -p1 -b .no-log +%patch20 -p1 -b .any-user +%patch21 -p1 -b .audit-failed %patch31 -p1 -b .try-first-pass %patch32 -p1 -b .fail-close %patch42 -p1 -b .hal-handled @@ -374,6 +378,11 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Fri Feb 22 2008 Tomas Mraz 0.99.10.0-2 +- if shadow is readable for an user do not prevent him from + authenticating any user with unix_chkpwd (#433459) +- call audit from unix_chkpwd when appropriate + * Fri Feb 15 2008 Tomas Mraz 0.99.10.0-1 - new upstream release - add default soft limit for nproc of 1024 to prevent