From 56a567d507d480b86fd209ba04fbf17021b8b21a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=89rico=20Nogueira?= Date: Fri, 30 Jul 2021 17:06:48 -0300 Subject: [PATCH] util-linux: backport fix for su(1). Since trusting PAM_RUSER is left to administrators, make sure it can be trusted if necessary. --- ...01-lib-pwdutils-don-t-use-getlogin-3.patch | 47 +++++++++++++++++++ srcpkgs/util-linux/template | 2 +- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 srcpkgs/util-linux/patches/0001-lib-pwdutils-don-t-use-getlogin-3.patch diff --git a/srcpkgs/util-linux/patches/0001-lib-pwdutils-don-t-use-getlogin-3.patch b/srcpkgs/util-linux/patches/0001-lib-pwdutils-don-t-use-getlogin-3.patch new file mode 100644 index 00000000000..facf97c6674 --- /dev/null +++ b/srcpkgs/util-linux/patches/0001-lib-pwdutils-don-t-use-getlogin-3.patch @@ -0,0 +1,47 @@ +From 3386b92e09e8a945cb071808e012e0b600f8bcb2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C3=89rico=20Nogueira?= +Date: Tue, 27 Jul 2021 23:41:30 -0300 +Subject: [PATCH 1/4] lib/pwdutils: don't use getlogin(3). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Per the man page, it shouldn't be used for security purposes. This is an +issue especially on musl, where getlogin is implemented as +getenv("LOGNAME"). Since xgetlogin is being used as user identity in su(1), to +set PAM_RUSER, we simply switch to always using getpwuid(getuid()). + +Signed-off-by: Érico Nogueira +--- + lib/pwdutils.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/lib/pwdutils.c b/lib/pwdutils.c +index d97020cb9..641a9da40 100644 +--- a/lib/pwdutils.c ++++ b/lib/pwdutils.c +@@ -104,11 +104,6 @@ char *xgetlogin(void) + { + struct passwd *pw = NULL; + uid_t ruid; +- char *user; +- +- user = getlogin(); +- if (user) +- return xstrdup(user); + + /* GNU Hurd implementation has an extension where a process can exist in a + * non-conforming environment, and thus be outside the realms of POSIX +@@ -117,6 +112,9 @@ char *xgetlogin(void) + * environment. + * + * http://austingroupbugs.net/view.php?id=511 ++ * ++ * The same implementation is useful for other systems, since getlogin(3) ++ * shouldn't be used as actual identification. + */ + errno = 0; + ruid = getuid(); +-- +2.32.0 + diff --git a/srcpkgs/util-linux/template b/srcpkgs/util-linux/template index 7094650c320..41bffc54588 100644 --- a/srcpkgs/util-linux/template +++ b/srcpkgs/util-linux/template @@ -2,7 +2,7 @@ # Keep this package sync with util-linux-common pkgname=util-linux version=2.37.1 -revision=1 +revision=2 build_style=gnu-configure configure_args="--exec-prefix=\${prefix} --enable-libuuid --disable-makeinstall-chown --enable-libblkid --enable-fsck --disable-rpath --enable-fs-paths-extra=/usr/sbin:/usr/bin