Your message dated Wed, 09 May 2012 08:58:07 +0000
with message-id <[email protected]>
and subject line Bug#641404: fixed in libnss-mysql-bg 1.5-3
has caused the Debian Bug report #641404,
regarding Authentication is only possible if process runs as root
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
641404: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=641404
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libnss-mysql-bg
Version: 1.5-2

A user which is stored in a mysql database can only be authenticated
if the authentication process runs under root.

Therefore, the user can log in on the console (getty), network (sshd),
Gnome (gdm3), because there processes run as root. But he cannot unlock
his screensaver (gnome-screensaver) or a locked screen session (Ctrl-X
in running screen), because these processes do not run as root.

The reason is that libnss-mysql-bg is designed for systems where only
root is allowed to read shadow information, and /sbin/unix_chkpwd is
setuid root.

Under Debian, the policy is different: shadow information can be read
by processes running under the egid "shadow", and /sbin/unix_chkpwd
is setgid shadow, not setuid root.

In libnss-mysql-bg, two changes are needed to match Debian's policy:

1. The file /etc/libnss-mysql-root.cnf must be installed with
   permissions 640 root:shadow (currently 600 root:root).

2. Within the libnss-mysql-bg implementation, the security check
   must be extended to check not only for euid=root, but also for
   egid=shadow. See patch below.


----- cut here -----
--- libnss-mysql-bg-1.5/src/lookup.c.orig       2011-09-13 09:28:30.000000000 
+0200
+++ libnss-mysql-bg-1.5/src/lookup.c    2011-09-13 09:47:16.000000000 +0200
@@ -21,6 +21,8 @@
 #include "nss_mysql.h"
 #include <stdio.h>      /* snprintf () */
 #include <string.h>     /* strcpy () */
+#include <sys/types.h>
+#include <grp.h>

 extern conf_t conf;

@@ -131,12 +133,22 @@
   int attempts = MAX_QUERY_ATTEMPTS;    /* Attempt # (countdown) */
   static uid_t euid = -1;               /* Last known euid for change detect */
   uid_t cur_euid;                       /* CURRENT euid */
+  gid_t cur_egid;                      /* CURRENT egid */
+  gid_t shadow_gid;                    /* gid for group shadow (usually 42 on 
Debian) */

   DENTER

   cur_euid = geteuid ();
+
+  /* Get shadow gid, if needed */
+  if(cur_euid != 0) {
+    cur_egid = getegid ();
+    struct group *grp = getgrnam("shadow");
+    shadow_gid = (grp ? grp->gr_gid : -1);
+  }
+
   D ("%s: restricted = %d, cur_euid = %u", FUNCNAME, restricted, cur_euid);
-  if (restricted == ntrue && cur_euid != 0)
+  if (restricted == ntrue && cur_euid != 0 && (shadow_gid == -1 || cur_egid != 
shadow_gid))
     DSRETURN (NSS_NOTFOUND)

    /* Make sure euid hasn't changed, thus changing our access abilities */
----- cut here -----



--- End Message ---
--- Begin Message ---
Source: libnss-mysql-bg
Source-Version: 1.5-3

We believe that the bug you reported is fixed in the latest version of
libnss-mysql-bg, which is due to be installed in the Debian FTP archive:

libnss-mysql-bg_1.5-3.debian.tar.gz
  to main/libn/libnss-mysql-bg/libnss-mysql-bg_1.5-3.debian.tar.gz
libnss-mysql-bg_1.5-3.dsc
  to main/libn/libnss-mysql-bg/libnss-mysql-bg_1.5-3.dsc
libnss-mysql-bg_1.5-3_amd64.deb
  to main/libn/libnss-mysql-bg/libnss-mysql-bg_1.5-3_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Lacour <[email protected]> (supplier of updated libnss-mysql-bg 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 18 Apr 2012 11:49:33 +0200
Source: libnss-mysql-bg
Binary: libnss-mysql-bg
Architecture: source amd64
Version: 1.5-3
Distribution: unstable
Urgency: low
Maintainer: Emmanuel Lacour <[email protected]>
Changed-By: Emmanuel Lacour <[email protected]>
Description: 
 libnss-mysql-bg - NSS module for using MySQL as a naming service
Closes: 641404 649938 664438
Changes: 
 libnss-mysql-bg (1.5-3) unstable; urgency=low
 .
   * Add patch from Harald Weidner to follow the Debian policy in the way shadow
     passwords are handled (make use of group shadow) (closes: #641404)
   * Remove deprecated dpatch and upgrade to packaging format "3.0 quilt"
     (closes: #664438)
   * Update to Standards-Version to 3.9.3 and debhelper to 9.
   * Use mysql_config to find mysql libdir when libmysqlclient is multi-arch
     (closes: #649938)
   * Lintian cleanup (ancient-autotools-helper-file,
     debhelper-but-no-misc-depends, package-name-doesnt-match-sonames,
     spelling-error-in-description)
Checksums-Sha1: 
 96e782b1db7ba282d8e3bb4fb3c01f914b5bca83 1782 libnss-mysql-bg_1.5-3.dsc
 a9772bd010652ceb1c5cd7a71cbe19df16179f5e 4934 
libnss-mysql-bg_1.5-3.debian.tar.gz
 8d9e2894db06a095de3b1340b6952d91f6414d87 36768 libnss-mysql-bg_1.5-3_amd64.deb
Checksums-Sha256: 
 b39c92914af79e77ddaf85546773f56c1094d38886dce86ac4a045de93d90e6e 1782 
libnss-mysql-bg_1.5-3.dsc
 7d4d8193da822a7755d63cc9673cd25fcec71b6d1920d00500cd77bc0062be04 4934 
libnss-mysql-bg_1.5-3.debian.tar.gz
 c5e322c621212e2925cf6ec64e31e9b716f48aff7e4a817cee03cb0f6a00d619 36768 
libnss-mysql-bg_1.5-3_amd64.deb
Files: 
 34cda2b62d992929368cd8e62cdc7ff1 1782 admin optional libnss-mysql-bg_1.5-3.dsc
 b4799069db7e0e4b420d17ff10baff94 4934 admin optional 
libnss-mysql-bg_1.5-3.debian.tar.gz
 1ce0ea12c464455f1ceb4553374a11dc 36768 admin optional 
libnss-mysql-bg_1.5-3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPqiA4AAoJECrpAeXHAhjSTDAQAIJjsrlKCcqH1cYkQTAezHEp
VE4yeCPxD56V1AjnunNzwUEWXg9HyQUAKe8u5Y6yqszVLrdVpN5FRxDBfCOb36IV
GE7HsiORFCelF+F0+gPfh/NEOzY56lNkvhAKp9tj4ecARqLeBNBuvAgOxdLLEw+D
dBk2UelN0WaK0aPshbPokSWCuEXOndsIc36xeFGv2hKasqk+G8ruza+XMlC9Hbml
82Wq7Ys2JPBXbfayHPyW/tcqyPSQbJQRyqzueIOnshCGDyebzfPpPwSIgNIq1BfQ
urDDGW2dcj5tNaCXIRTa9N74Qu9GEX+REOsD3i7zCtiyvQsxQHT+/fZnVdCU1E8D
/BpWzs9RRmYQ18Sz+ql3L/ZrMUaqlgSnkBQ2Dg7L+OrlLN0zEQD8LilPQ/mAHz86
ZD7IDAX5tsmNBYoIh+sC1gJYzN+GD2tsWd+WG0lub10v4/kXLikj5mp3jwtOptTC
yU55kWH4ozr7POsuqYzvK3Qbzu5YUdDbQZJrFT1l2/GOGI7FPamtrstHdEHA7YFL
HGz6egL+Pypizs6NCSaYo/Rwx/febAVyViiUodG0EX8uoMpzJCA1q/RaZEit4864
HF4BPXTOc2Pg3b6RvI6FaH9UwILbvX0CI7x/4S4JJc2xRj80/5/+pSgGjD2SuI/L
Q48rkqogFwCb1PjO8wGb
=a9jq
-----END PGP SIGNATURE-----



--- End Message ---

Reply via email to