From 232a60b046fdc5946aebb20ca0d2c0ff6be13c3b Mon Sep 17 00:00:00 2001 From: Emmanuel Lacour Date: Tue, 8 Nov 2011 17:18:39 +0100 Subject: [PATCH] Allow non root processes to authenticate users based on the shadow group --- debian/changelog | 7 +++++++ debian/libnss-mysql-bg.postinst | 8 ++++++-- debian/patches/00list | 1 + debian/patches/04_shadow.dpatch | 42 +++++++++++++++++++++++++++++++++++++++++ 4 files changed, 56 insertions(+), 2 deletions(-) create mode 100755 debian/patches/04_shadow.dpatch diff --git a/debian/changelog b/debian/changelog index a705dd6..2f95a33 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libnss-mysql-bg (1.5-3) unstable; urgency=low + + * Add patch from Harald Weidner to follow the Debian policy in the way shadow + passwords are handled (make use of group shadow) (closes: #641404) + + -- Emmanuel Lacour Tue, 08 Nov 2011 17:13:42 +0100 + libnss-mysql-bg (1.5-2) unstable; urgency=low * debian/rules: add binary-indep target (closes: #395712) diff --git a/debian/libnss-mysql-bg.postinst b/debian/libnss-mysql-bg.postinst index f78ffd1..d0e4df5 100644 --- a/debian/libnss-mysql-bg.postinst +++ b/debian/libnss-mysql-bg.postinst @@ -20,8 +20,12 @@ set -e case "$1" in configure) - # Make sur /etc/libnss-mysql-root.cfg isn't world/group readable - [ -f /etc/libnss-mysql-root.cfg ] && chmod 0600 /etc/libnss-mysql-root.cfg + # Make sur /etc/libnss-mysql-root.cfg is only root:shadow readable + if [ -f /etc/libnss-mysql-root.cfg ] + then + chmod 0640 /etc/libnss-mysql-root.cfg + chown root:shadow /etc/libnss-mysql-root.cfg + fi ;; diff --git a/debian/patches/00list b/debian/patches/00list index 59aa9bb..916e78a 100644 --- a/debian/patches/00list +++ b/debian/patches/00list @@ -1,3 +1,4 @@ 01_mkinstalldirs.dpatch 02_autotools.dpatch 03_config.dpatch +04_shadow.dpatch diff --git a/debian/patches/04_shadow.dpatch b/debian/patches/04_shadow.dpatch new file mode 100755 index 0000000..dbfff6e --- /dev/null +++ b/debian/patches/04_shadow.dpatch @@ -0,0 +1,42 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 04_shadow.dpatch by +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: Add check for egid to properly works like "shadow" enabled authentications + +@DPATCH@ +--- libnss-mysql-bg-1.5/src/lookup.c 2011-09-13 09:28:30.000000000 +0200 ++++ libnss-mysql-bg-1.5/src/lookup.c 2011-09-13 09:47:16.000000000 +0200 +@@ -21,6 +21,8 @@ + #include "nss_mysql.h" + #include /* snprintf () */ + #include /* strcpy () */ ++#include ++#include + + extern conf_t conf; + +@@ -131,12 +133,22 @@ + int attempts = MAX_QUERY_ATTEMPTS; /* Attempt # (countdown) */ + static uid_t euid = -1; /* Last known euid for change detect */ + uid_t cur_euid; /* CURRENT euid */ ++ gid_t cur_egid; /* CURRENT egid */ ++ gid_t shadow_gid; /* gid for group shadow (usually 42 on Debian) */ + + DENTER + + cur_euid = geteuid (); ++ ++ /* Get shadow gid, if needed */ ++ if(cur_euid != 0) { ++ cur_egid = getegid (); ++ struct group *grp = getgrnam("shadow"); ++ shadow_gid = (grp ? grp->gr_gid : -1); ++ } ++ + D ("%s: restricted = %d, cur_euid = %u", FUNCNAME, restricted, cur_euid); +- if (restricted == ntrue && cur_euid != 0) ++ if (restricted == ntrue && cur_euid != 0 && (shadow_gid == -1 || cur_egid != shadow_gid)) + DSRETURN (NSS_NOTFOUND) + + /* Make sure euid hasn't changed, thus changing our access abilities */ -- 2.11.0