Leverage unix_chkpwd

If doing PAM authentication, we can setuid to the target user and then pam_unix will use unix_chkpwd on our behalf. Problems with this working in the lab was resolved by a yum reinstall pam, so it was presumably due to messed up setcap or similar experiments.
2025-10-30 19:02:29 +00:00 · 2020-02-13 10:37:15 -05:00
parent 6a12af1242
commit 4437e81e04
2 changed files with 12 additions and 2 deletions
--- a/confluent_server/confluent/auth.py
+++ b/confluent_server/confluent/auth.py
@@ -28,6 +28,7 @@ import hashlib
 import hmac
 import multiprocessing
 import os
+import pwd
 import confluent.userutil as userutil
 import confluent.util as util
 pam = None
@@ -258,6 +259,13 @@ def check_user_passphrase(name, passphrase, operation=None, element=None, tenant
            _passcache[(user, tenant)] = hashlib.sha256(passphrase).digest()
            return authorize(user, element, tenant, operation)
    if pam:
+        pwe = None
+        try:
+            pwe = pwd.getpwnam(user)
+        except KeyError:
+            #pam won't work if the user doesn't exist, don't go further
+            eventlet.sleep(0.05)  # stall even on test for existence of a username
+            return None
        if os.getuid() != 0:
            # confluent is running with reduced privilege, however, pam_unix refuses
            # to let a non-0 user check anothers password.
@@ -267,7 +275,9 @@ def check_user_passphrase(name, passphrase, operation=None, element=None, tenant
            if not pid:
                usergood = False
                try:
-                    os.setuid(0)
+                    # we change to the uid we are trying to authenticate as, because
+                    # pam_unix uses unix_chkpwd which reque
+                    os.setuid(pwe.pw_uid)
                    usergood = pam.authenticate(user, passphrase, service=_pamservice)
                finally:
                    os._exit(0 if usergood else 1)
--- a/confluent_server/systemd/confluent.service
+++ b/confluent_server/systemd/confluent.service
@@ -14,7 +14,7 @@ ConfigurationDirectory=confluent
 ExecStart=/opt/confluent/bin/confluent
 ExecStop=/opt/confluent/bin/confetty shutdown /
 Restart=on-failure
-AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID CAP_DAC_READ_SEARCH CAP_CHOWN
+AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_SETUID CAP_SETGID CAP_CHOWN
 User=confluent
 Group=confluent
 DevicePolicy=closed