Allow non root processes to authenticate users based on the shadow group

diff --git a/debian/changelog b/debian/changelog
index a705dd6..2f95a33 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libnss-mysql-bg (1.5-3) unstable; urgency=low
+
+  * Add patch from Harald Weidner to follow the Debian policy in the way shadow
+    passwords are handled (make use of group shadow) (closes: #641404)
+
+ -- Emmanuel Lacour <elacour@home-dn.net>  Tue, 08 Nov 2011 17:13:42 +0100
+

 libnss-mysql-bg (1.5-2) unstable; urgency=low
 
   * debian/rules: add binary-indep target (closes: #395712)
 libnss-mysql-bg (1.5-2) unstable; urgency=low
 
   * debian/rules: add binary-indep target (closes: #395712)

diff --git a/debian/libnss-mysql-bg.postinst b/debian/libnss-mysql-bg.postinst
index f78ffd1..d0e4df5 100644 (file)
--- a/debian/libnss-mysql-bg.postinst
+++ b/debian/libnss-mysql-bg.postinst
@@ -20,8 +20,12 @@ set -e
 case "$1" in
     configure)
 
 case "$1" in
     configure)
 

-    # Make sur /etc/libnss-mysql-root.cfg isn't world/group readable
-    [ -f /etc/libnss-mysql-root.cfg ] && chmod 0600 /etc/libnss-mysql-root.cfg
+    # Make sur /etc/libnss-mysql-root.cfg is only root:shadow readable
+    if [ -f /etc/libnss-mysql-root.cfg ]
+    then
+        chmod 0640 /etc/libnss-mysql-root.cfg
+        chown root:shadow /etc/libnss-mysql-root.cfg
+    fi

 
     ;;
 
 
     ;;
 

diff --git a/debian/patches/00list b/debian/patches/00list
index 59aa9bb..916e78a 100644 (file)
--- a/debian/patches/00list
+++ b/debian/patches/00list
@@ -1,3 +1,4 @@
 01_mkinstalldirs.dpatch
 02_autotools.dpatch
 03_config.dpatch
 01_mkinstalldirs.dpatch
 02_autotools.dpatch
 03_config.dpatch

+04_shadow.dpatch

diff --git a/debian/patches/04_shadow.dpatch b/debian/patches/04_shadow.dpatch
new file mode 100755 (executable)
index 0000000..dbfff6e
--- /dev/null
+++ b/debian/patches/04_shadow.dpatch
@@ -0,0 +1,42 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 04_shadow.dpatch by  <elacour@home-dn.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: Add check for egid to properly works like "shadow" enabled authentications
+
+@DPATCH@
+--- libnss-mysql-bg-1.5/src/lookup.c       2011-09-13 09:28:30.000000000 +0200
++++ libnss-mysql-bg-1.5/src/lookup.c    2011-09-13 09:47:16.000000000 +0200
+@@ -21,6 +21,8 @@
+ #include "nss_mysql.h"
+ #include <stdio.h>      /* snprintf () */
+ #include <string.h>     /* strcpy () */
++#include <sys/types.h>
++#include <grp.h>
+
+ extern conf_t conf;
+
+@@ -131,12 +133,22 @@
+   int attempts = MAX_QUERY_ATTEMPTS;    /* Attempt # (countdown) */
+   static uid_t euid = -1;               /* Last known euid for change detect */
+   uid_t cur_euid;                       /* CURRENT euid */
++  gid_t cur_egid;                      /* CURRENT egid */
++  gid_t shadow_gid;                    /* gid for group shadow (usually 42 on Debian) */
+
+   DENTER
+
+   cur_euid = geteuid ();
++
++  /* Get shadow gid, if needed */
++  if(cur_euid != 0) {
++    cur_egid = getegid ();
++    struct group *grp = getgrnam("shadow");
++    shadow_gid = (grp ? grp->gr_gid : -1);
++  }
++
+   D ("%s: restricted = %d, cur_euid = %u", FUNCNAME, restricted, cur_euid);
+-  if (restricted == ntrue && cur_euid != 0)
++  if (restricted == ntrue && cur_euid != 0 && (shadow_gid == -1 || cur_egid != shadow_gid))
+     DSRETURN (NSS_NOTFOUND)
+
+    /* Make sure euid hasn't changed, thus changing our access abilities */