[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

pam_unix.so: allow account verification for non-root users when shadow is enabled

From: Laurence Withers <l lwithers me uk>
To: pam-list redhat com
Subject: pam_unix.so: allow account verification for non-root users when shadow is enabled
Date: Tue, 2 Oct 2007 18:05:00 +0000

Hi,

I have recently been setting up exim to authenticate SMTP logins via 
PAM. This system does not use SELinux. /etc/pam.d/exim includes the 
line:

account required pam_unix.so

When it comes to verifying account details (i.e. pam_sm_acct_mgmt() in 
modules/pam_unix/pam_unix_acct.c), `_unix_shadowed(pwent)' is going to 
return true since I have shadow passwords enabled. This means that PAM 
will now try to access /etc/shadow.

The exim daemon does not run as root, however; it runs under the UID 
mail. This obviously means that /etc/shadow (mode 0600) cannot be read 
by the library, and so `pam_sm_acct_mgmt()' returns 
PAM_AUTHINFO_UNAVAIL.

On the assumption that it is a valid thing for a non-root process to 
check the validity of an account, I activated the SELinux-specific 
`_unix_run_verify_binary()' code, and the call to it in 
pam_sm_acct_mgmt(), so that the setuid unix_chkpwd helper binary is 
called to retrieve the information from /etc/shadow. This works as 
intended.

I have attached a patch with these changes, in the hope that it is 
useful. However, I will admit that I simply don't have enough 
experience to see if this has security implications or not. Please let 
me know.

Bye for now,
-- 
Laurence Withers, <l lwithers me uk>
http://www.lwithers.me.uk/

--- old/modules/pam_unix/pam_unix_acct.c	2007-10-02 00:24:25.000000000 +0000
+++ new/modules/pam_unix/pam_unix_acct.c	2007-10-02 00:30:50.000000000 +0000
@@ -64,8 +64,6 @@
 
 #include "support.h"
 
-#ifdef WITH_SELINUX
-
 struct spwd spwd;
 
 struct spwd *_unix_run_verify_binary(pam_handle_t *pamh, unsigned int ctrl, const char *user)
@@ -117,12 +115,6 @@
       }
     }
 
+#ifdef SELINUX_ENABLED
     if (SELINUX_ENABLED && geteuid() == 0) {
       /* must set the real uid to 0 so the helper will not error
          out if pam is called from setuid binary (su, sudo...) */
       setuid(0);
     }
+#endif
 
     /* exec binary helper */
     args[0] = x_strdup(CHKPWD_HELPER);
     args[1] = x_strdup(user);
@@ -180,7 +172,6 @@
   return &spwd;
 }
 
-#endif
 
 
 /*
@@ -252,10 +243,8 @@
 	else
 		return PAM_SUCCESS;
 
-#ifdef WITH_SELINUX
-	if (!spent && SELINUX_ENABLED )
+	if (!spent)
 	    spent = _unix_run_verify_binary(pamh, ctrl, uname);
-#endif
 
 	if (!spent)
 		if (on(UNIX_BROKEN_SHADOW,ctrl))

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]