https://bugzilla.novell.com/show_bug.cgi?id=278171 Summary: Possible root compromise in pam Product: openSUSE 10.2 Version: Final Platform: Other OS/Version: openSUSE 10.2 Status: NEW Keywords: security Severity: Critical Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: bob.cregan@bristol.ac.uk QAContact: qa@suse.de The base of the PAM system has an oddity that causes a severe security issue. With the configuration that I have users get root access via pam enabled services. The config I have is marfc@math-pc80:~> rpm -qa | grep pam pam_mount-0.18-20 pam-config-0.13-8 pam-devel-0.99.6.3-24 pam-0.99.6.3-29.1 pam-modules-10.2-31 pam_krb5-2.2.11-17 pam_ldap-183-10 marfc@math-pc80:~> math-pc80:~ # cat /etc/pam.d/common-auth #%PAM-1.0 # auth required pam_env.so auth required pam_krb5.so minimum_uid=200 auth sufficient pam_unix2.so auth required pam_mount.so math-pc80:~ # cat /etc/security/pam_unix2.conf # pam_unix2 config file # # This file contains options for the pam_unix2.so module. # It contains a list of options for every type of management group, # which will be used for authentication, account management and # password management. Not all options will be used from all types of # management groups. # # At first, pam_unix2 will read this file and then uses the local # options. Not all options can be set her global. # # Allowed options are: # ......... # session: none auth: account: password: session: none ############ A normal user using this setup can su and get a root shell with a null password. There is similar behavior via ssh. I first noticed the behavior with pam_smbpw but then switched to check that the behavior is independent of the module and is also replicated with a module provided by the distribution. If the control value in pam_unix2 line is changed to "require" then the behavior disappears. Similarly if the line for pam_mount is removed the behavior disappears. The kerberos module works. I have also seen this behavior in a SuSE 10.1 machine. I have cross checked with a couple of people here and we all believe that it is not a configuration issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.