From 4437e81e040fa7f2c866add64c4f6ab30604be0f Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jjohnson2@lenovo.com>
Date: Thu, 13 Feb 2020 10:37:15 -0500
Subject: [PATCH] Leverage unix_chkpwd

If doing PAM authentication, we
can setuid to the target user and then
pam_unix will use unix_chkpwd on
our behalf.

Problems with this working in the lab
was resolved by a yum reinstall pam,
so it was presumably due to messed up
setcap or similar experiments.
---
 confluent_server/confluent/auth.py         | 12 +++++++++++-
 confluent_server/systemd/confluent.service |  2 +-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/confluent_server/confluent/auth.py b/confluent_server/confluent/auth.py
index 5d3906b9..05eeacb6 100644
--- a/confluent_server/confluent/auth.py
+++ b/confluent_server/confluent/auth.py
@@ -28,6 +28,7 @@ import hashlib
 import hmac
 import multiprocessing
 import os
+import pwd
 import confluent.userutil as userutil
 import confluent.util as util
 pam = None
@@ -258,6 +259,13 @@ def check_user_passphrase(name, passphrase, operation=None, element=None, tenant
             _passcache[(user, tenant)] = hashlib.sha256(passphrase).digest()
             return authorize(user, element, tenant, operation)
     if pam:
+        pwe = None
+        try:
+            pwe = pwd.getpwnam(user)
+        except KeyError:
+            #pam won't work if the user doesn't exist, don't go further
+            eventlet.sleep(0.05)  # stall even on test for existence of a username
+            return None
         if os.getuid() != 0:
             # confluent is running with reduced privilege, however, pam_unix refuses
             # to let a non-0 user check anothers password.
@@ -267,7 +275,9 @@ def check_user_passphrase(name, passphrase, operation=None, element=None, tenant
             if not pid:
                 usergood = False
                 try:
-                    os.setuid(0)
+                    # we change to the uid we are trying to authenticate as, because
+                    # pam_unix uses unix_chkpwd which reque
+                    os.setuid(pwe.pw_uid)
                     usergood = pam.authenticate(user, passphrase, service=_pamservice)
                 finally:
                     os._exit(0 if usergood else 1)
diff --git a/confluent_server/systemd/confluent.service b/confluent_server/systemd/confluent.service
index 9f6e51c5..c9d2d800 100644
--- a/confluent_server/systemd/confluent.service
+++ b/confluent_server/systemd/confluent.service
@@ -14,7 +14,7 @@ ConfigurationDirectory=confluent
 ExecStart=/opt/confluent/bin/confluent
 ExecStop=/opt/confluent/bin/confetty shutdown /
 Restart=on-failure
-AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID CAP_DAC_READ_SEARCH CAP_CHOWN
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID CAP_CHOWN
 User=confluent
 Group=confluent
 DevicePolicy=closed