[Bug 629236] New: vlock cannot authenticate user - missing PAM configuration
http://bugzilla.novell.com/show_bug.cgi?id=629236 http://bugzilla.novell.com/show_bug.cgi?id=629236#c0 Summary: vlock cannot authenticate user - missing PAM configuration Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: All OS/Version: openSUSE 11.3 Status: NEW Severity: Major Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: mike@mk-sys.cz QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.9pre) Gecko/20100730 The vlock package is missing PAM configuration file /etc/pam.d/vlock so that vlock cannot authenticate users (default /etc/pam.d/other denies everyone). In default installation, even with suitable /etc/pam.d/vlock, vlock still cannot authenticate users (unless run by root) as vlock-main does not have SGID bit and cannot read /etc/shadow. But this seems intentional according to /etc/permissions.* However, these files should set permissions of /usr/sbin/vlock-main rather than /usr/bin/vlock as the latter is a shell script now. Reproducible: Always Steps to Reproduce: 1. lock a terminal using vlock 2. press enter Actual Results: vlock doesn't ask for password and shows "authentication failure" Expected Results: ask for password and check it -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629236 http://bugzilla.novell.com/show_bug.cgi?id=629236#c yang xiaoyu <xyyang@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xyyang@novell.com AssignedTo|bnc-team-screening@forge.pr |prusnak@novell.com |ovo.novell.com | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c1 --- Comment #1 from Michal Kubeček <mike@mk-sys.cz> 2010-09-09 12:07:40 UTC --- Created an attachment (id=388561) --> (http://bugzilla.novell.com/attachment.cgi?id=388561) proposed /etc/pam.d/vlock -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c2 Pavol Rusnak <prusnak@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |prusnak@novell.com AssignedTo|prusnak@novell.com |security-team@suse.de Summary|vlock cannot authenticate |AUDIT-0: vlock - setgid |user - missing PAM |needed |configuration | --- Comment #2 from Pavol Rusnak <prusnak@novell.com> 2010-09-09 14:27:24 CEST --- I added pam configuration to package in Base:System. I also changed rights to 2755 for %{_sbindir}/vlock-main. Security team: can we change /etc/permissions.* by adding /usr/sbin/vlock-main root:shadow 2755 and by removing all obsoleted /usr/bin/vlock lines? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c Pavol Rusnak <prusnak@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |569859 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c3 --- Comment #3 from Ludwig Nussel <lnussel@novell.com> 2010-09-22 16:42:41 CEST --- It scares me that we carry around broken permissions on vlock and noone noticed. I'd actually prefer to remove the vlock entry completely :-) OTOH it's not that common so it doesn't hurt many. root:shadow 2755 isn't quite right in general btw, it whould be root:root 4755 to make sure it also works with NIS+. I'll change the permissions entry as requested we had vlock that way in the past anyways. It should be reviewed nevertheless. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c4 --- Comment #4 from Michal Kubeček <mike@mk-sys.cz> 2010-09-22 15:49:18 UTC --- This problem appears only in 11.2 and 11.3. Versions up to 11.1 have older version of vlock where /usr/bin/vlock is a binary. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c5 --- Comment #5 from Ludwig Nussel <lnussel@novell.com> 2010-09-24 16:34:04 CEST --- sr#49053 for factory. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c7 --- Comment #7 from Sebastian Krahmer <krahmer@novell.com> 2010-09-28 08:40:37 UTC --- We already audited vlock and didnt want to make it suid. Please see bnc#342924. The 11.2 vlock build at least is also wrong with its plugins. On x86_64, the binary looks in /usr/lib/vlock for plugins and scripts, but they are located in /usr/lib64/vlock. It is checking for / characters in pathnames, but I'd prefer to disable execution of plugins and scripts. Additionally theres a small bug: diff -rup vlock-2.2.2.orig//src/util.c vlock-2.2.2/src/util.c --- vlock-2.2.2.orig//src/util.c 2008-05-18 05:10:54.000000000 -0400 +++ vlock-2.2.2/src/util.c 2010-09-28 11:53:39.079325879 -0400 @@ -51,11 +51,11 @@ struct timespec *parse_seconds(const cha void fatal_error(const char *format, ...) { - char *error; + char *error = NULL; va_list ap; va_start(ap, format); if (vasprintf(&error, format, ap) < 0) - error = "error while formatting error message"; + error = strdup("error while formatting error message"); va_end(ap); fatal_error_free(error); } since fatal_error_free() would call free() on a string literal. Why does vlock need suid/sgid. Isnt unix2_chkpwd exactly for that purpose? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c8 --- Comment #8 from Ludwig Nussel <lnussel@novell.com> 2010-09-28 10:44:48 CEST --- (In reply to comment #7)
We already audited vlock and didnt want to make it suid. Please see bnc#342924.
Great. The request to remove the existing entry from /etc/permissions didn't reach the maintainer though.
Why does vlock need suid/sgid. Isnt unix2_chkpwd exactly for that purpose?
That one is just plain broken. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c9 --- Comment #9 from Sebastian Krahmer <krahmer@novell.com> 2010-10-12 12:53:01 UTC --- Whats left to do? closing bug? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c13 --- Comment #13 from Ludwig Nussel <lnussel@novell.com> 2010-10-12 16:37:32 CEST --- (In reply to comment #2)
I added pam configuration to package in Base:System. I also changed rights to 2755 for %{_sbindir}/vlock-main.
Security team: can we change /etc/permissions.* by adding
/usr/sbin/vlock-main root:shadow 2755
comment 7 says no. So I will remove the entry from /etc/permissions* -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c14 Sebastian Krahmer <krahmer@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #14 from Sebastian Krahmer <krahmer@novell.com> 2010-10-27 08:39:19 UTC --- should be done then -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=629236 https://bugzilla.novell.com/show_bug.cgi?id=629236#c15 --- Comment #15 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-10-31 22:02:55 CET --- This is an autogenerated message for OBS integration: This bug (629236) was mentioned in https://build.opensuse.org/request/show/89843 Tumbleweed / permissions -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=629236 http://bugzilla.novell.com/show_bug.cgi?id=629236#c16 --- Comment #16 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (629236) was mentioned in https://build.opensuse.org/request/show/49053 Factory / permissions https://build.opensuse.org/request/show/51485 Factory / permissions -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com