Bug#543589: libpam0g: broken_shadow not working due to pam_unix_dont_trust_chkpwd_caller.patch
Package: libpam0g Version: 1.0.1-5+lenny1 Severity: normal Upstream unix_chkpwd drops privileges and continues when a non-root user attempts to authenticate someone other than himself. The pam_unix_dont_trust_chkpwd_caller patch disables this behavior pending analysis. I have enabled the broken_shadow option due to a limitation of libnss-ldapd, and this is supposed to make pam_unix return success when getpwnam() returns something but getspnam() does not. However the code in pam_unix_acct.c will only do so if the error is PAM_AUTHINFO_UNAVAIL. The above debian patch returns PAM_AUTH_ERR, and so users cannot verify other users. I see two solutions: 1. Use setgid(getgid()) as suggested in the patch. This closely matches upstream. We'll end up returning PAM_AUTHINFO_UNAVAIL after getspnam() is called. 2. Change the return PAM_AUTH_ERR introduced by the patch to return PAM_AUTHINFO_UNAVAIL, at least for the chkexpiry subcommand. I know of no workaround for this problem other than either patching PAM or running the service as root. -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libpam0g depends on: ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii libc6 2.7-18 GNU C Library: Shared libraries ii libpam-runtime1.0.1-5+lenny1 Runtime support for the PAM librar libpam0g recommends no packages. Versions of packages libpam0g suggests: ii libpam-doc1.0.1-5+lenny1 Documentation of PAM -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#543589: libpam0g: broken_shadow not working due to pam_unix_dont_trust_chkpwd_caller.patch
On Tue, Aug 25, 2009 at 07:13:55PM -0400, Michael Spang wrote: I see two solutions: 1. Use setgid(getgid()) as suggested in the patch. This closely matches upstream. We'll end up returning PAM_AUTHINFO_UNAVAIL after getspnam() is called. What testing have you done of this approach? I agree that this appears to be the right thing to do, and it holds up to my own analysis but it would be great to have some empirical confirmation before I make the change. Thanks, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developerhttp://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: Digital signature
Bug#543589: libpam0g: broken_shadow not working due to pam_unix_dont_trust_chkpwd_caller.patch
On Tue, Aug 25, 2009 at 7:42 PM, Steve Langasekvor...@debian.org wrote: On Tue, Aug 25, 2009 at 07:13:55PM -0400, Michael Spang wrote: I see two solutions: 1. Use setgid(getgid()) as suggested in the patch. This closely matches upstream. We'll end up returning PAM_AUTHINFO_UNAVAIL after getspnam() is called. What testing have you done of this approach? I agree that this appears to be the right thing to do, and it holds up to my own analysis but it would be great to have some empirical confirmation before I make the change. I only verified it fixed the particular problem I was having does not occur after having made this change. Security-wise after dropping privileges unix_chkpwd won't be able to do anything the user himself could not, so I think we just have to make sure that part is correct. If I use the following patch: --- pam.deb.orig/modules/pam_unix/unix_chkpwd.c +++ pam.deb/modules/pam_unix/unix_chkpwd.c @@ -101,10 +101,10 @@ /* if the caller specifies the username, verify that user matches it */ if (strcmp(user, argv[1])) { - user = argv[1]; - /* no match - permanently change to the real user and proceed */ - if (setuid(getuid()) != 0) - return PAM_AUTH_ERR; + gid_t gid = getgid(); + if (setregid(gid, gid) != 0) + return PAM_AUTH_ERR; + sleep(20); } } Then I can at least verify that all privileges are dropped: sid:1379:~% ps -eo ruser,euser,suser,rgroup,egroup,sgroup,args | grep chkpwd mspang mspang mspang mspang mspang mspang /sbin/unix_chkpwd testuser chkexpiry Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org