Sync from SUSE:SLFO:Main pam revision fa783e61d1e22468beaed2a0feb0f808

pam.changes

@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Mar 24 17:41:34 UTC 2025 - Thorsten Kukuk <kukuk@suse.com>
+
+- Remove unix2_chkpwd, no consumer left
+
 -------------------------------------------------------------------
 Thu Dec  5 12:44:33 UTC 2024 - Valentin Lefebvre <valentin.lefebvre@suse.com>
 

pam.spec

@@ -85,8 +85,6 @@ Source5:        common-account.pamd
 Source6:        common-password.pamd
 Source7:        common-session.pamd
 Source9:        baselibs.conf
-Source10:       unix2_chkpwd.c
-Source11:       unix2_chkpwd.8
 Source12:       pam-login_defs-check.sh
 Source13:       pam.tmpfiles
 Source20:       common-session-nonlogin.pamd
@@ -95,7 +93,7 @@ Source22:       postlogin-account.pamd
 Source23:       postlogin-password.pamd
 Source24:       postlogin-session.pamd
 Patch1:         pam-limit-nproc.patch
-# https://github.com/linux-pam/linux-pam/pull/854
+# PATCH-FIX-UPSTREAM: CVE-2024-10963
 Patch2:         pam_access-rework-resolving-of-tokens-as-hostname.patch
 BuildRequires:  audit-devel
 BuildRequires:  bison
@@ -254,8 +252,6 @@ cp %{tar_package_name} %{_other}
 
 %endif # livepatchable
 
-gcc -fwhole-program -fpie -pie -D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE %{optflags} -I%{_builddir}/Linux-PAM-%{version}/libpam/include %{SOURCE10} -o %{_builddir}/unix2_chkpwd -L%{_builddir}/Linux-PAM-%{version}/%{_target_platform}/libpam -lpam
-
 %if %{build_main}
 %check
 %meson_test
@@ -286,8 +282,6 @@ DOC=%{buildroot}%{_defaultdocdir}/pam
 mkdir -p $DOC/modules
 cp -fpv %{_vpath_builddir}/modules/pam_*/pam_*.txt "$DOC/modules/"
 %endif
-# Install unix2_chkpwd
-install -m 755 %{_builddir}/unix2_chkpwd %{buildroot}%{_sbindir}
 
 # rpm macros
 install -D -m 644 %{SOURCE2} %{buildroot}%{_rpmmacrodir}/macros.pam
@@ -300,7 +294,6 @@ mkdir -p %{buildroot}%{_pam_secdistconfdir}/{limits.d,namespace.d}
 %if !%{build_doc}
 rm -rf %{buildroot}%{_mandir}/man?/*
 %else
-install -m 644 %{_sourcedir}/unix2_chkpwd.8 %{buildroot}/%{_mandir}/man8/
 # bsc#1188724
 echo '.so man8/pam_motd.8' > %{buildroot}%{_mandir}/man5/motd.5
 %endif
@@ -323,12 +316,10 @@ rm -rf  %{buildroot}{%{_pam_moduledir}/pam_limits.so,%{_pam_secdistconfdir}/limi
 
 %verifyscript
 %verify_permissions -e %{_sbindir}/unix_chkpwd
-%verify_permissions -e %{_sbindir}/unix2_chkpwd
 
 %post
 /sbin/ldconfig
 %set_permissions %{_sbindir}/unix_chkpwd
-%set_permissions %{_sbindir}/unix2_chkpwd
 %tmpfiles_create %{_tmpfilesdir}/pam.conf
 
 %postun -p /sbin/ldconfig
@@ -422,7 +413,6 @@ done
 %{_sbindir}/pam_namespace_helper
 %{_sbindir}/pwhistory_helper
 %verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix_chkpwd
-%verify(not mode) %attr(4755,root,shadow) %{_sbindir}/unix2_chkpwd
 %attr(0700,root,root) %{_sbindir}/unix_update
 %{_unitdir}/pam_namespace.service
 %{_tmpfilesdir}/pam.conf
@@ -526,7 +516,6 @@ done
 %{_mandir}/man8/pam_wheel.8%{?ext_man}
 %{_mandir}/man8/pam_xauth.8%{?ext_man}
 %{_mandir}/man8/pwhistory_helper.8%{?ext_man}
-%{_mandir}/man8/unix2_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_chkpwd.8%{?ext_man}
 %{_mandir}/man8/unix_update.8%{?ext_man}
 

unix2_chkpwd.8

@@ -1,79 +0,0 @@
-.\" Copyright (C) 2003 International Business Machines Corporation
-.\" This file is distributed according to the GNU General Public License.
-.\" See the file COPYING in the top level source directory for details.
-.\"
-.de Sh \" Subsection
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
-.TH "UNIX2_CHKPWD" 8 "2003-03-21" "Linux-PAM 0.76" "Linux-PAM Manual"
-.SH NAME
-unix2_chkpwd \- helper binary that verifies the password of the current user
-.SH "SYNOPSIS"
-.ad l
-.hy 0
-
-/sbin/unix2_chkpwd \fIservicename\fR \fIusername\fR
-.sp
-.ad
-.hy
-.SH "DESCRIPTION"
-.PP
-\fBunix2_chkpwd\fR is a helper program for applications that verifies 
-the password of the current user.  It is not intended to be run directly from 
-the command line and logs a security violation if done so. 
-
-It is typically installed setuid root or setgid shadow and called by
-applications, which only wishes to do an user authentification and
-nothing more.
-
-.SH "OPTIONS"
-.PP
-unix2_chkpwd requires the following arguments:
-.TP
-\fIpam_service\fR
-The name of the service using unix2_chkpwd. This is required to be one of
-the services in /etc/pam.d
-.TP
-\fIusername\fR
-The name of the user whose password you want to verify.
-
-.SH "INPUTS"
-.PP
-unix2_chkpwd expects the password via stdin.
-
-.SH "RETURN CODES"
-.PP
-\fBunix2_chkpwd\fR has the following return codes:
-.TP
-1
-unix2_chkpwd was inappropriately called from the command line or the password is incorrect.
-
-.TP
-0
-The password is correct.
-
-.SH "HISTORY"
-Written by Olaf Kirch loosely based on unix_chkpwd by Andrew Morgan
-
-.SH "SEE ALSO"
-
-.PP
-\fBpam\fR(8)
-
-.SH AUTHOR
-Emily Ratliff.

unix2_chkpwd.c

@@ -1,337 +0,0 @@
-/*
- * Set*id helper program for PAM authentication.
- *
- * It is supposed to be called from pam_unix2's
- * pam_sm_authenticate function if the function notices
- * that it's unable to get the password from the shadow file
- * because it doesn't have sufficient permissions.
- *
- * Copyright (C) 2002 SuSE Linux AG
- *
- * Written by okir@suse.de, loosely based on unix_chkpwd
- * by Andrew Morgan.
- */
-
-#include <security/pam_appl.h>
-#include <security/_pam_macros.h>
-
-#include <sys/types.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <syslog.h>
-#include <unistd.h>
-#include <pwd.h>
-#include <signal.h>
-#include <fcntl.h>
-#include <ctype.h>
-#include <errno.h>
-
-#define BUFLEN	1024
-#ifndef LOGINDEFS
-#define LOGINDEFS	"/etc/login.defs"
-#endif
-#define LOGINDEFS_FAIL_DELAY_KEY	"FAIL_DELAY"
-#define DEFAULT_FAIL_DELAY_S	10
-
-#define PASSWD_CRACKER_DELAY_MS	100
-
-enum {
-	UNIX_PASSED = 0,
-	UNIX_FAILED = 1
-};
-
-static char *	program_name;
-static char	pass[64];
-static int	npass = -1;
-
-/*
- * Log error messages
- */
-static void
-_log_err(int err, const char *format,...)
-{
-	va_list args;
-
-	va_start(args, format);
-	openlog(program_name, LOG_CONS | LOG_PID, LOG_AUTH);
-	vsyslog(err, format, args);
-	va_end(args);
-	closelog();
-}
-
-static void
-su_sighandler(int sig)
-{
-	if (sig > 0) {
-		_log_err(LOG_NOTICE, "caught signal %d.", sig);
-		exit(sig);
-	}
-}
-
-/*
- * Setup signal handlers
- */
-static void
-setup_signals(void)
-{
-	struct sigaction action;
-
-	memset((void *) &action, 0, sizeof(action));
-	action.sa_handler = su_sighandler;
-	action.sa_flags = SA_RESETHAND;
-	sigaction(SIGILL, &action, NULL);
-	sigaction(SIGTRAP, &action, NULL);
-	sigaction(SIGBUS, &action, NULL);
-	sigaction(SIGSEGV, &action, NULL);
-	action.sa_handler = SIG_IGN;
-	action.sa_flags = 0;
-	sigaction(SIGTERM, &action, NULL);
-	sigaction(SIGHUP, &action, NULL);
-	sigaction(SIGINT, &action, NULL);
-	sigaction(SIGQUIT, &action, NULL);
-	sigaction(SIGALRM, &action, NULL);
-}
-
-static int
-_converse(int num_msg, const struct pam_message **msg,
-		struct pam_response **resp, void *appdata_ptr)
-{
-	struct	pam_response *reply;
-	int	num;
-
-	if (!(reply = malloc(sizeof(*reply) * num_msg)))
-		return PAM_CONV_ERR;
-
-	for (num = 0; num < num_msg; num++) {
-		reply[num].resp_retcode = PAM_SUCCESS;
-		reply[num].resp = NULL;
-		switch (msg[num]->msg_style) {
-		case PAM_PROMPT_ECHO_ON:
-			return PAM_CONV_ERR;
-		case PAM_PROMPT_ECHO_OFF:
-			/* read the password from stdin */
-			if (npass < 0) {
-				npass = read(STDIN_FILENO, pass, sizeof(pass)-1);
-				if (npass < 0) {
-					_log_err(LOG_DEBUG, "error reading password");
-					return UNIX_FAILED;
-				}
-				pass[npass] = '\0';
-			}
-			reply[num].resp = strdup(pass);
-			break;
-		case PAM_TEXT_INFO:
-		case PAM_ERROR_MSG:
-			/* ignored */
-			break;
-		default:
-			/* Must be an error of some sort... */
-			return PAM_CONV_ERR;
-		}
-	}
-
-	*resp = reply;
-	return PAM_SUCCESS;
-}
-
-static int
-_authenticate(const char *service, const char *user)
-{
-	struct pam_conv conv = { _converse, NULL };
-	pam_handle_t	*pamh;
-	int		err;
-
-	err = pam_start(service, user, &conv, &pamh);
-	if (err != PAM_SUCCESS) {
-		_log_err(LOG_ERR, "pam_start(%s, %s) failed (errno %d)",
-				service, user, err);
-		return UNIX_FAILED;
-	}
-	
-	err = pam_authenticate(pamh, 0);
-	if (err != PAM_SUCCESS)
-		_log_err(LOG_ERR, "pam_authenticate(%s, %s): %s",
-				service, user,
-				pam_strerror(pamh, err));
-
-	if (err == PAM_SUCCESS)
-	{
-		err = pam_acct_mgmt(pamh, 0);
-		if (err == PAM_SUCCESS)
- 		{
-			int err2 = pam_setcred(pamh, PAM_REFRESH_CRED);
-			if (err2 != PAM_SUCCESS)
-				_log_err(LOG_ERR, "pam_setcred(%s, %s): %s",
-					service, user,
-					pam_strerror(pamh, err2));
-				/*
-				 * ignore errors on refresh credentials.
-				 * If this did not work we use the old once.
-				 */
-		} else {
-			_log_err(LOG_ERR, "pam_acct_mgmt(%s, %s): %s",
-				service, user,
-				pam_strerror(pamh, err));
-		}
-	}
-	
-	pam_end(pamh, err);
-
-	if (err != PAM_SUCCESS)
-		return UNIX_FAILED;
-	return UNIX_PASSED;
-}
-
-static char *
-getuidname(uid_t uid)
-{
-	struct passwd *pw;
-	static char username[32];
-
-	pw = getpwuid(uid);
-	if (pw == NULL)
-		return NULL;
-
-	strncpy(username, pw->pw_name, sizeof(username));
-	username[sizeof(username) - 1] = '\0';
-	
-	endpwent();
-	return username;
-}
-
-static int
-sane_pam_service(const char *name)
-{
-	const char *sp;
-	char	path[128];
-
-	if (strlen(name) > 32)
-		return 0;
-	for (sp = name; *sp; sp++) {
-		if (!isalnum(*sp) && *sp != '_' && *sp != '-')
-			return 0;
-	}
-
-	snprintf(path, sizeof(path), "/etc/pam.d/%s", name);
-	return access(path, R_OK) == 0;
-}
-
-static int
-get_system_fail_delay (void)
-{
-	FILE *fs;
-	char buf[BUFLEN];
-	long int delay = -1;
-	char *s;
-	int l;
-
-	fs = fopen(LOGINDEFS, "r");
-	if (NULL == fs) {
-		goto bail_out;
-	}
-
-	while ((NULL != fgets(buf, BUFLEN, fs)) && (-1 == delay)) {
-		if  (!strstr(buf, LOGINDEFS_FAIL_DELAY_KEY)) {
-			continue;
-		}
-		s = buf + strspn(buf, " \t");
-		l = strcspn(s, " \t");
-		if (strncmp(LOGINDEFS_FAIL_DELAY_KEY, s, l)) {
-			continue;
-		}
-		s += l;
-		s += strspn(s, " \t");
-		errno = 0;
-		delay = strtol(s, NULL, 10);
-		if (errno) {
-			delay = -1;
-		}
-		break;
-	}
-	fclose (fs);
-bail_out:
-	delay = (delay < 0) ? DEFAULT_FAIL_DELAY_S : delay;
-	return (int)delay;
-}
-
-int
-main(int argc, char *argv[])
-{
-	const char *program_name;
-	char	*service, *user;
-	int	fd;
-	int result = UNIX_FAILED;
-	uid_t	uid;
-
-	uid = getuid();
-
-	/*
-	 * Make sure standard file descriptors are connected.
-	 */
-	while ((fd = open("/dev/null", O_RDWR)) <= 2)
-		;
-	close(fd);
-
-	/*
-	 * Get the program name
-	 */
-	if (argc == 0)
-		program_name = "unix2_chkpwd";
-	else if ((program_name = strrchr(argv[0], '/')) != NULL)
-		program_name++;
-	else
-		program_name = argv[0];
-
-	/*
-	 * Catch or ignore as many signal as possible.
-	 */
-	setup_signals();
-
-	/*
-	 * Check argument list
-	 */
-	if (argc < 2 || argc > 3) {
-		_log_err(LOG_NOTICE, "Bad number of arguments (%d)", argc);
-		return UNIX_FAILED;
-	}
-
-	/*
-	 * Get the service name and do some sanity checks on it
-	 */
-	service = argv[1];
-	if (!sane_pam_service(service)) {
-		_log_err(LOG_ERR, "Illegal service name '%s'", service);
-		return UNIX_FAILED;
-	}
-
-	/*
-	 * Discourage users messing around (fat chance)
-	 */
-	if (isatty(STDIN_FILENO) && uid != 0) {
-		_log_err(LOG_NOTICE,
-			"Inappropriate use of Unix helper binary [UID=%d]",
-			 uid);
-		fprintf(stderr,
-			"This binary is not designed for running in this way\n"
-			"-- the system administrator has been informed\n");
-		sleep(10);	/* this should discourage/annoy the user */
-		return UNIX_FAILED;
-	}
-
-	/*
-	 * determine the caller's user name
-	 */
-	user = getuidname(uid);
-	if (argc == 3 && strcmp(user, argv[2])) {
-		user = argv[2];
-	}
-	result = _authenticate(service, user);
-	/* Discourage use of this program as a
-	 * password cracker */
-	usleep(PASSWD_CRACKER_DELAY_MS * 1000);
-	if (result != UNIX_PASSED && uid != 0)
-		sleep(get_system_fail_delay());
-	return result;
-}