https://bugs.kde.org/show_bug.cgi?id=522219
Bug ID: 522219
Summary: NoNewPrivileges=true in krdpserver.service breaks PAM
system-user auth (unix_chkpwd cannot read /etc/shadow)
Classification: Plasma
Product: KRdp
Version First 6.7.80
Reported In:
Platform: Fedora RPMs
OS: Linux
Status: REPORTED
Severity: major
Priority: NOR
Component: general
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Target Milestone: ---
The shipped user unit /usr/lib/systemd/user/app-org.kde.krdpserver.service sets
NoNewPrivileges=true. With SystemUserEnabled=true (authenticate RDP clients
against the local system account), krdpserver runs as the unprivileged user and
PAM's pam_unix delegates password verification to the setuid-root helper
/usr/sbin/unix_chkpwd. NoNewPrivileges causes the kernel to ignore the setuid
bit, so unix_chkpwd runs unprivileged, cannot read /etc/shadow, and every
authentication fails.
Steps to reproduce:
1. Enable Remote Desktop with "use system credentials"
(SystemUserEnabled=true).
2. Connect with any RDP client using a valid system username/password.
Result: Client briefly shows a blank/white screen, then disconnects.
Expected: Authentication succeeds with valid system credentials.
Logs (journalctl --user -u app-org.kde.krdpserver.service):
unix_chkpwd[…]: check pass; user unknown
unix_chkpwd[…]: password check failed for user (<user>)
krdpserver[…]: pam_unix(login:auth): authentication failure; … user=<user>
krdpserver[…]: pam_authenticate failure: Authentication failure
[ERROR][com.freerdp.api] rdp_peer_handle_state_active: PostConnect for peer …
failed
Workaround: user drop-in with NoNewPrivileges=no restores auth.
Suggested fix: either drop NoNewPrivileges=true from the unit, or avoid the
setuid unix_chkpwd path (e.g. authenticate via a helper/service that can read
shadow), so hardening and system-user auth can coexist.
--
You are receiving this mail because:
You are watching all bug changes.
