Allow the helper binary to be run as root.

This is needed if e.g. SELinux prevents access to file
storing the hashed user password.

Signed-off-by: Björn Esser <[email protected]>

Author: besser82

ChangeLog

@@ -99,6 +99,15 @@
 	* tcb.spec: Remove -DENABLE_SETFSUGID.
 	* ci/run-build-and-tests.sh: Likewise.
 
+2021-10-12  Björn Esser  <besser82 at fedoraproject.org>
+
+	pam_tcb: Allow for authentication if a system policy requires the
+	root user to acquire special capabilities.
+	* pam_tcb/support.c (unix_verify_password_plain): Allow the helper
+	binary to be run as root if e.g. SELinux prevents access to file
+	storing the hashed user password.
+	* progs/tcb_chkpwd.c (unix_verify_password): Likewise.
+
 2021-09-30  Björn Esser  <besser82 at fedoraproject.org>
 
 	pam_tcb: Fix "-Wpedantic".

pam_tcb/support.c

@@ -475,8 +475,8 @@ static int unix_verify_password_plain(pam_handle_t *pamh,
 	if (!salt) {
 		/* we're not faking, we have an existing user, so... */
 		uid_t uid = getuid();
-		if (uid == geteuid() && uid == pw->pw_uid && uid != 0) {
-			/* We are not root perhaps this is the reason? */
+		if (uid == geteuid() && (uid == pw->pw_uid || uid == 0)) {
+			/* We are not privileged enough perhaps this is the reason? */
 			D(("running helper binary"));
 			retval = unix_run_helper_binary(user, pass);
 		} else {

progs/tcb_chkpwd.c

@@ -43,7 +43,8 @@ static int unix_verify_password(const char *user, const char *pass, int nullok)
 
 	stored_hash = NULL;
 	if (pw) {
-		if (getuid() != pw->pw_uid)
+		uid_t uid = getuid();
+		if (uid != pw->pw_uid && uid != 0)
 			return AUTH_FAILED;
 
 		if (!strcmp(pw->pw_passwd, "x")) {