- if shadow is readable for an user do not prevent him from authenticating

any user with unix_chkpwd (#433459)
- call audit from unix_chkpwd when appropriate

pam-0.99.10.0-unix-any-user.patch

@@ -0,0 +1,15 @@
+diff -up Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.any-user Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c
+--- Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.any-user	2008-01-28 13:21:48.000000000 +0100
++++ Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c	2008-02-21 14:06:56.000000000 +0100
+@@ -101,7 +101,10 @@ int main(int argc, char *argv[])
+ 	  /* if the caller specifies the username, verify that user
+ 	     matches it */
+ 	  if (strcmp(user, argv[1])) {
+-	    return PAM_AUTH_ERR;
++	    user = argv[1];
++	    /* no match -> permanently change to the real user and proceed */
++	    if (setuid(getuid()) != 0)
++		return PAM_AUTH_ERR;
+ 	  }
+ 	}
+ 

pam-0.99.10.0-unix-audit-failed.patch

@@ -0,0 +1,103 @@
+diff -up Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am.audit-failed Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am
+--- Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am.audit-failed	2008-02-06 15:21:34.000000000 +0100
++++ Linux-PAM-0.99.10.0/modules/pam_unix/Makefile.am	2008-02-22 16:11:02.000000000 +0100
+@@ -53,7 +53,7 @@ unix_chkpwd_SOURCES = unix_chkpwd.c md5_
+ 	passverify.c
+ unix_chkpwd_CFLAGS = $(AM_CFLAGS) @PIE_CFLAGS@ -DHELPER_COMPILE=\"unix_chkpwd\"
+ unix_chkpwd_LDFLAGS = @PIE_LDFLAGS@ 
+-unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@
++unix_chkpwd_LDADD = @LIBCRYPT@ @LIBSELINUX@ @LIBAUDIT@
+ 
+ unix_update_SOURCES = unix_update.c md5_good.c md5_broken.c bigcrypt.c \
+ 	passverify.c
+diff -up Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.audit-failed Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c
+--- Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c.audit-failed	2008-02-22 15:39:03.000000000 +0100
++++ Linux-PAM-0.99.10.0/modules/pam_unix/unix_chkpwd.c	2008-02-22 16:34:29.000000000 +0100
+@@ -24,6 +24,10 @@
+ #include <shadow.h>
+ #include <signal.h>
+ #include <time.h>
++#include <errno.h>
++#ifdef HAVE_LIBAUDIT
++#include <libaudit.h>
++#endif
+ 
+ #include <security/_pam_types.h>
+ #include <security/_pam_macros.h>
+@@ -54,6 +58,37 @@ static int _check_expiry(const char *una
+ 	return retval;
+ }
+ 
++static int _audit_log(int type, const char *uname, int rc)
++{
++#ifdef HAVE_LIBAUDIT
++	int audit_fd;
++
++	audit_fd = audit_open();
++	if (audit_fd < 0) {
++		/* You get these error codes only when the kernel doesn't have
++		 * audit compiled in. */
++		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
++			errno == EAFNOSUPPORT)
++			return PAM_SUCCESS;
++
++		helper_log_err(LOG_CRIT, "audit_open() failed: %m");
++		return PAM_AUTH_ERR;
++	}
++
++	rc = audit_log_acct_message(audit_fd, type, NULL, "PAM:unix_chkpwd",
++		uname, -1, NULL, NULL, NULL, rc == PAM_SUCCESS);
++	if (rc == -EPERM && geteuid() != 0) {
++		rc = 0;
++	}
++
++	audit_close(audit_fd);
++
++	return rc < 0 ? PAM_AUTH_ERR : PAM_SUCCESS;
++#else
++	return PAM_SUCCESS;
++#endif
++}
++
+ int main(int argc, char *argv[])
+ {
+ 	char pass[MAXPASS + 1];
+@@ -82,6 +117,7 @@ int main(int argc, char *argv[])
+ 		helper_log_err(LOG_NOTICE
+ 		      ,"inappropriate use of Unix helper binary [UID=%d]"
+ 			 ,getuid());
++		_audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR);
+ 		fprintf(stderr
+ 		 ,"This binary is not designed for running in this way\n"
+ 		      "-- the system administrator has been informed\n");
+@@ -118,9 +154,10 @@ int main(int argc, char *argv[])
+ 	  nullok = 1;
+ 	else if (strcmp(option, "nonull") == 0)
+ 	  nullok = 0;
+-	else
++	else {
++	  _audit_log(AUDIT_ANOM_EXEC, getuidname(getuid()), PAM_SYSTEM_ERR);
+ 	  return PAM_SYSTEM_ERR;
+-
++	}
+ 	/* read the password from stdin (a pipe from the pam_unix module) */
+ 
+ 	npass = read_passwords(STDIN_FILENO, 1, passwords);
+@@ -141,11 +178,16 @@ int main(int argc, char *argv[])
+ 	/* return pass or fail */
+ 
+ 	if (retval != PAM_SUCCESS) {
+-		if (!nullok || !blankpass)
++		if (!nullok || !blankpass) {
+ 			/* no need to log blank pass test */
++			if (getuid() != 0)
++				_audit_log(AUDIT_USER_AUTH, user, PAM_AUTH_ERR);
+ 			helper_log_err(LOG_NOTICE, "password check failed for user (%s)", user);
++		}
+ 		return PAM_AUTH_ERR;
+ 	} else {
++		if (getuid() != 0)
++			return _audit_log(AUDIT_USER_AUTH, user, PAM_SUCCESS);
+ 		return PAM_SUCCESS;
+ 	}
+ }

pam.spec

@@ -5,7 +5,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.10.0
-Release: 1%{?dist}
+Release: 2%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -26,6 +26,8 @@ Patch1:  pam-0.99.7.0-redhat-modules.patch
 Patch2:  db-4.6.18-glibc.patch
 Patch4:  pam-0.99.8.1-dbpam.patch
 Patch5:  pam-0.99.8.1-audit-no-log.patch
+Patch20: pam-0.99.10.0-unix-any-user.patch
+Patch21: pam-0.99.10.0-unix-audit-failed.patch
 Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
 Patch32: pam-0.99.3.0-tally-fail-close.patch
 Patch42: pam-0.99.8.1-console-hal-handled.patch
@@ -100,6 +102,8 @@ pushd db-%{db_version}
 popd
 %patch4 -p1 -b .dbpam
 %patch5 -p1 -b .no-log
+%patch20 -p1 -b .any-user
+%patch21 -p1 -b .audit-failed
 %patch31 -p1 -b .try-first-pass
 %patch32 -p1 -b .fail-close
 %patch42 -p1 -b .hal-handled
@@ -374,6 +378,11 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Fri Feb 22 2008 Tomas Mraz <tmraz@redhat.com> 0.99.10.0-2
+- if shadow is readable for an user do not prevent him from
+  authenticating any user with unix_chkpwd (#433459)
+- call audit from unix_chkpwd when appropriate
+
 * Fri Feb 15 2008 Tomas Mraz <tmraz@redhat.com> 0.99.10.0-1
 - new upstream release
 - add default soft limit for nproc of 1024 to prevent