From 976c20079358d133514568fc7fd95c02df8b5773 Mon Sep 17 00:00:00 2001
From: "Dmitry V. Levin" <ldv@strace.io>
Date: Tue, 27 May 2025 08:00:00 +0000
Subject: [PATCH] pam_namespace: secure_opendir: do not look at the group
 ownership

When the directory is not group-writable, the group ownership does
not matter, and when it is group-writable, there should not be any
exceptions for the root group as there is no guarantee that the root
group does not include non-root users.

Upstream-Status: Backport [https://github.com/linux-pam/linux-pam/commit/976c20079358d133514568fc7fd95c02df8b5773]
CVE: CVE-2025-6020
Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
---
 modules/pam_namespace/pam_namespace.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index 8cba036..630cf0a 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -215,8 +215,7 @@ static int secure_opendir(const char *path, int opm, mode_t mode,
 			if (dfd_next == -1)
 				goto error;
 		} else if (st.st_uid != 0
-		           || (st.st_gid != 0 && (st.st_mode & S_IWGRP))
-		           || (st.st_mode & S_IWOTH)) {
+		           || (st.st_mode & (S_IWGRP|S_IWOTH))) {
 			/* do not follow symlinks on subdirectories */
 			flags |= O_NOFOLLOW;
 		}
-- 
2.50.1