From a8153375a5006f5ca766b58a1a8f488699314a74 Mon Sep 17 00:00:00 2001 From: Fabian Vogt Date: Thu, 3 Aug 2017 09:27:10 +0200 Subject: [PATCH 2/3] Avoid dropping privileges by initializing gcrypt secmem It's a documented side effect that initialization of secure memory in gcrypt drops privileges if getuid() != geteuid(). This results in breaking setuid callers, like sudo or su. --- pam_kwallet.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pam_kwallet.c b/pam_kwallet.c index cba57e7..dc61115 100644 --- a/pam_kwallet.c +++ b/pam_kwallet.c @@ -696,12 +696,18 @@ int kwallet_hash(const char *passphrase, struct passwd *userInfo, char *key) gcry_error_t error; + /* We cannot call GCRYCTL_INIT_SECMEM as it drops privileges if getuid() != geteuid(). + * PAM modules are in many cases executed through setuid binaries, which this call + * would break. + * It was never effective anyway as neither key nor passphrase are in secure memory, + * which is a prerequisite for secure operation... error = gcry_control(GCRYCTL_INIT_SECMEM, 32768, 0); if (error != 0) { free(salt); syslog(LOG_ERR, "%s-kwalletd: Can't get secure memory: %d", logPrefix, error); return 1; } + */ gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); -- 2.13.2