Bug#543589: libpam0g: broken_shadow not working due to pam_unix_dont_trust_chkpwd_caller.patch

2009-08-25 Thread Michael Spang 
Package: libpam0g
Version: 1.0.1-5+lenny1
Severity: normal

Upstream unix_chkpwd drops privileges and continues when a non-root
user attempts to authenticate someone other than himself. The
pam_unix_dont_trust_chkpwd_caller patch disables this behavior
pending analysis.

I have enabled the broken_shadow option due to a limitation of
libnss-ldapd, and this is supposed to make pam_unix return success
when getpwnam() returns something but getspnam() does not. However the
code in pam_unix_acct.c will only do so if the error is
PAM_AUTHINFO_UNAVAIL. The above debian patch returns PAM_AUTH_ERR, and
so users cannot verify other users.

I see two solutions:

1. Use setgid(getgid()) as suggested in the patch. This closely
   matches upstream. We'll end up returning PAM_AUTHINFO_UNAVAIL
   after getspnam() is called.

2. Change the return PAM_AUTH_ERR introduced by the patch to return
   PAM_AUTHINFO_UNAVAIL, at least for the chkexpiry subcommand.

I know of no workaround for this problem other than either patching
PAM or running the service as root.

-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam0g depends on:
ii  debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii  libc6 2.7-18 GNU C Library: Shared libraries
ii  libpam-runtime1.0.1-5+lenny1 Runtime support for the PAM librar

libpam0g recommends no packages.

Versions of packages libpam0g suggests:
ii  libpam-doc1.0.1-5+lenny1 Documentation of PAM

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#543589: libpam0g: broken_shadow not working due to pam_unix_dont_trust_chkpwd_caller.patch

2009-08-25 Thread Steve Langasek 
On Tue, Aug 25, 2009 at 07:13:55PM -0400, Michael Spang wrote:
 I see two solutions:

 1. Use setgid(getgid()) as suggested in the patch. This closely
matches upstream. We'll end up returning PAM_AUTHINFO_UNAVAIL
after getspnam() is called.

What testing have you done of this approach?  I agree that this appears to
be the right thing to do, and it holds up to my own analysis but it would be
great to have some empirical confirmation before I make the change.

Thanks,
-- 
Steve Langasek   Give me a lever long enough and a Free OS
Debian Developer   to set it on, and I can move the world.
Ubuntu Developerhttp://www.debian.org/
slanga...@ubuntu.com vor...@debian.org


signature.asc
Description: Digital signature

Bug#543589: libpam0g: broken_shadow not working due to pam_unix_dont_trust_chkpwd_caller.patch

2009-08-25 Thread Michael Spang 
On Tue, Aug 25, 2009 at 7:42 PM, Steve Langasekvor...@debian.org wrote:
 On Tue, Aug 25, 2009 at 07:13:55PM -0400, Michael Spang wrote:
 I see two solutions:

 1. Use setgid(getgid()) as suggested in the patch. This closely
    matches upstream. We'll end up returning PAM_AUTHINFO_UNAVAIL
    after getspnam() is called.

 What testing have you done of this approach?  I agree that this appears to
 be the right thing to do, and it holds up to my own analysis but it would be
 great to have some empirical confirmation before I make the change.

I only verified it fixed the particular problem I was having does not
occur after having made this change. Security-wise after dropping
privileges unix_chkpwd won't be able to do anything the user himself
could not, so I think we just have to make sure that part is correct.

If I use the following patch:

--- pam.deb.orig/modules/pam_unix/unix_chkpwd.c
+++ pam.deb/modules/pam_unix/unix_chkpwd.c
@@ -101,10 +101,10 @@
  /* if the caller specifies the username, verify that user
 matches it */
  if (strcmp(user, argv[1])) {
-   user = argv[1];
-   /* no match - permanently change to the real user and proceed */
-   if (setuid(getuid()) != 0)
-   return PAM_AUTH_ERR;
+   gid_t gid = getgid();
+   if (setregid(gid, gid) != 0)
+   return PAM_AUTH_ERR;
+   sleep(20);
  }
}


Then I can at least verify that all privileges are dropped:

sid:1379:~% ps -eo ruser,euser,suser,rgroup,egroup,sgroup,args | grep chkpwd
mspang   mspang   mspang   mspang   mspang   mspang
/sbin/unix_chkpwd testuser chkexpiry

Michael



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org