[Bug 278171] New: Possible root compromise in pam
https://bugzilla.novell.com/show_bug.cgi?id=278171 Summary: Possible root compromise in pam Product: openSUSE 10.2 Version: Final Platform: Other OS/Version: openSUSE 10.2 Status: NEW Keywords: security Severity: Critical Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: bob.cregan@bristol.ac.uk QAContact: qa@suse.de The base of the PAM system has an oddity that causes a severe security issue. With the configuration that I have users get root access via pam enabled services. The config I have is marfc@math-pc80:~> rpm -qa | grep pam pam_mount-0.18-20 pam-config-0.13-8 pam-devel-0.99.6.3-24 pam-0.99.6.3-29.1 pam-modules-10.2-31 pam_krb5-2.2.11-17 pam_ldap-183-10 marfc@math-pc80:~> math-pc80:~ # cat /etc/pam.d/common-auth #%PAM-1.0 # auth required pam_env.so auth required pam_krb5.so minimum_uid=200 auth sufficient pam_unix2.so auth required pam_mount.so math-pc80:~ # cat /etc/security/pam_unix2.conf # pam_unix2 config file # # This file contains options for the pam_unix2.so module. # It contains a list of options for every type of management group, # which will be used for authentication, account management and # password management. Not all options will be used from all types of # management groups. # # At first, pam_unix2 will read this file and then uses the local # options. Not all options can be set her global. # # Allowed options are: # ......... # session: none auth: account: password: session: none ############ A normal user using this setup can su and get a root shell with a null password. There is similar behavior via ssh. I first noticed the behavior with pam_smbpw but then switched to check that the behavior is independent of the module and is also replicated with a module provided by the distribution. If the control value in pam_unix2 line is changed to "require" then the behavior disappears. Similarly if the line for pam_mount is removed the behavior disappears. The kerberos module works. I have also seen this behavior in a SuSE 10.1 machine. I have cross checked with a couple of people here and we all believe that it is not a configuration issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=278171 mmarek@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mmarek@novell.com AssignedTo|bnc-team- |mc@novell.com |screening@forge.provo.novell| |.com | ------- Comment #1 from mmarek@novell.com 2007-05-25 04:09 MST ------- man pam.conf: sufficient success of such a module is enough to satisfy the authentication requirements of the stack of modules (if a prior required module has failed the success of this one is ignored). A failure of ^^^^^^^^^^^^ this module is not deemed as fatal to satisfying the application ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ that this type has succeeded. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ So this looks INVALID to me, because you effectively turn pam_unix2 off. But reassigning to Michael just to be sure. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=278171 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Comment #2 from mc@novell.com 2007-05-25 07:03 MST ------- Yes, it looks like a configuration problem. Our default is: auth required pam_env.so auth required pam_unix2.so With krb5: auth required pam_env.so auth sufficient pam_unix2.so auth required pam_krb5.so use_first_pass With krb5 and ldap: auth required pam_env.so auth sufficient pam_unix2.so auth sufficient pam_krb5.so use_first_pass auth required pam_ldap.so use_first_pass Close as invalid. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com