[Bug 213235] New: Login (pam_unix2) ignores case and eliminates leading ans trailling whitespaces on login.
https://bugzilla.novell.com/show_bug.cgi?id=213235 Summary: Login (pam_unix2) ignores case and eliminates leading ans trailling whitespaces on login. Product: SUSE Linux 10.1 Version: Final Platform: Other OS/Version: SuSE Linux 10.1 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: jolz@gmx.de QAContact: qa@suse.de Applies to SuSE Linux 10.0 and SuSE Linux 10.1 When i log in , i can use as username "jolz", "jolz ", " jolz", "JOLZ", " JOLZ " and login succeed although my real username is "jolz". After login, $HOME is correct, but $USER is the misspelled name. Some windows mount (using $USER as user) fail. The command "id" gives mit currect information. i expected the login would fail for "JOLZ". This Problem happens, when i authenticate against LDAP (SAMBA 3.0.20-4-SUSE on SuSE 10.0 with pam_unix2.so When authenticate against local passwd, only "jolz" is valid. Here is my /etc/pam.d/xdm #%PAM-1.0 auth required /ichaus/usr/lib/security/pam_mount.so auth required pam_unix2.so use_first_pass nullok #set_secrpc account required pam_unix2.so password required pam_unix2.so #strict=false session required pam_unix2.so debug # trace or none session required pam_devperm.so session required pam_resmgr.so session optional /ichaus/usr/lib/security/pam_mount.so Here is my /etc/security/pam_unix2.conf # pam_unix2 config file # # [...] # auth: use_ldap nullok account: use_ldap password: use_ldap nullok session: none Here is /var/log/messages (slightly modified: hostname removed, logged in as " JOLZ"): [...] Oct 18 09:51:11 foopc kdm: barpc:1[19586]: nss_ldap: reconnected to LDAP server ldap://ldapserver, after 1 attempt Oct 18 09:51:12 foopc kdm: barpc:1[19586]: nss_ldap: reconnected to LDAP server ldap://ldapserver, after 1 attempt Oct 18 09:51:12 foopc kdm: barpc:1[19586]: pam_unix2(xdm:session): session started for user JOLZ, service xdm Oct 18 09:51:12 foopc PAM-devperm[19586]: bad username [ JOLZ] Oct 18 09:51:12 foopc an:[19586]: pam_mount: reading options_require... [...] later on the Shell: $ echo "'$USER'" ' JOLZ' Sorry, can't test this on SuSE 10.2 alpha now ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 jolz@gmx.de changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Normal |Critical Priority|P5 - None |P2 - High -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 jolz@gmx.de changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Basesystem |Security Summary|Login (pam_unix2) ignores |Login (pam_unix2) ignores case and eliminates |case and eliminates leading |leading and trailling whitespaces on login |ans trailling whitespaces on| |login. | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 jolz@gmx.de changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Login (pam_unix2) ignores |Login (pam_unix2) ignores case and ignores |case and eliminates leading |leading and trailling whitespaces on login |and trailling whitespaces on| |login | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 martin.lasarsch@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |mc@novell.com |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mc@novell.com AssignedTo|mc@novell.com |rhafer@novell.com ------- Comment #1 from mc@novell.com 2006-10-20 05:41 MST ------- might be a pam_ldap problem. assign to maintainer. Ralf: do you know what happens here? jolz j: please add the "debug" option to the auth section to pam_unix2 auth required pam_unix2.so use_first_pass nullok debug #set_secrpc test again and attache full /var/log/message to this bug please. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 rhafer@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |jolz@gmx.de ------- Comment #2 from rhafer@novell.com 2006-10-20 06:31 MST ------- No bug in pam_ldap here. The LDAP "uid" Attribute is defined to be case-insensitive. pam_ldap behaves accordingly. For more on this topic see also Bug #118003. When using "login" on 10.2 $USER and $LOGNAME are set correctly to the values that is stored in the LDAP Server, by calling getpwnam(). What program did you use to test this? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 rhafer@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|Critical |Normal -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 rhafer@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rhafer@novell.com AssignedTo|rhafer@novell.com |kde-maintainers@suse.de Status|NEEDINFO |NEW Component|Security |KDE Info Provider|jolz@gmx.de | ------- Comment #3 from rhafer@novell.com 2006-10-20 07:03 MST ------- I just tried myself with KDM. KDM set $USER exactly to what the user entered to the username textfield. IMO this is wrong, as it can lead to the problems described above, when using e.g. pam_ldap or pam_winbind. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 jolz@gmx.de changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jolz@gmx.de Component|KDE |Security ------- Comment #4 from jolz@gmx.de 2006-10-20 07:26 MST ------- Bug #118003:
Access Denied You are not authorized to access bug #118003.
I check some other login variants: ssh JoLZ@foopc ssh " JOLZ@foopc" works. (login correct, but this time $USER is correct). this works and the result is okay: $> perl -e 'print ("username=_" . getpwuid($<) . "_\n");' username=_jolz_
What program did you use to test this?
- I logged in with kdm [1] - i saw the $USER-Environment with bash ("echo $USER") - the pam_mount.so modules (see my /etc/pam.d/xdm above) saw also the wrong user. So the mounts fail! (very bad) I appended the debug option in /etc/pam.d/xdm, but there i could not see more messages than the lines above. Is it the right place? by the way: the log in the ldap Server: Oct 20 14:46:36 ldapserver slapd[15718]: conn=124 op=3324 SRCH base="ou=Group,dc=ichaus,dc=lan" scope=1 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=JOLZ) (uniqueMember=uid=jolz,ou=users,dc=ichaus,dc=lan)))" You should notice, that in the filter "memberUid=JOLZ" and "uniqueMember=uid=jolz" can be found. jolz [1] Displaymanager: We are using KDM: foopc:/etc/sysconfig # cat displaymanager ## Path: Desktop/Display manager ## Description: ## Type: string(kdm,xdm,gdm,wdm,console) ## Default: "" # # Here you can set the default Display manager (kdm/xdm/gdm/wdm/console). # all changes in this file require a restart of the displaymanager # DISPLAYMANAGER="kdm" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 dmueller@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de Status|NEW |ASSIGNED ------- Comment #5 from dmueller@novell.com 2006-10-20 09:03 MST ------- ok, its a bug, but could you elaborate on the security implications? given that the login is case insensitive, I don't think you could accidentally become another user or other stuff this way. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 ------- Comment #6 from jolz@gmx.de 2006-10-23 03:27 MST ------- Okay, maybe no security problem. I do not get more rights than i should get. That's good. But i did not know which category to choose... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 ------- Comment #7 from jolz@gmx.de 2006-11-08 02:27 MST ------- We recently tested this against SuSE 10.2 beta 1. The problem is the same. Although this is maybe no security problem, the bug may drive a sysadmin crazy (e.g. when pam_mount is used....) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 wstephenson@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|kde-maintainers@suse.de |coolo@novell.com Status|ASSIGNED |NEW -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 coolo@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|coolo@novell.com |kde-maintainers@suse.de Keywords| |Fix_is_Ready ------- Comment #8 from coolo@novell.com 2006-12-08 06:07 MST ------- ok, kde svn revision 611492 - I hope the maintainer is ok with it. I'll build a test package for 10.2 and if it's ok I'd suggest backporting to SLE -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 coolo@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |jolz@gmx.de ------- Comment #9 from coolo@novell.com 2006-12-08 06:55 MST ------- Please try http://ktown.kde.org/~coolo/kdebase3-kdm.rpm -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 ------- Comment #10 from meissner@novell.com 2007-01-22 09:22 MST ------- ping? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 ------- Comment #11 from jolz@gmx.de 2007-01-23 00:08 MST ------- sorry, needed some time, the 10.2-system was not ready for testing yet. will write again today or tomorrow. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 jolz@gmx.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED Info Provider|jolz@gmx.de | Resolution| |FIXED ------- Comment #12 from jolz@gmx.de 2007-01-23 06:40 MST ------- OKay, tested it now. All works as expected. "jolz" works, " jolz", "JolZ" or similar does not work any more. Thanks a lot :-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 coolo@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|Login (pam_unix2) ignores |[Fix_is_Ready: 10.1/10.2] Login (pam_unix2) |case and ignores leading and|ignores case and ignores leading and trailling |trailling whitespaces on |whitespaces on login |login | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 dmueller@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|[Fix_is_Ready: 10.1/10.2] |[Fix_is_Ready: 10.2] Login (pam_unix2) ignores |Login (pam_unix2) ignores |case and ignores leading and trailling |case and ignores leading and|whitespaces on login |trailling whitespaces on | |login | ------- Comment #13 from dmueller@novell.com 2007-04-13 09:33 MST ------- submitted for 10.1 and SLE10 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 ------- Comment #14 from dmueller@novell.com 2007-04-13 09:37 MST ------- submitted for nld9 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 dmueller@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords|Fix_is_Ready | Summary|[Fix_is_Ready: 10.2] Login |Login (pam_unix2) ignores case and ignores |(pam_unix2) ignores case and|leading and trailling whitespaces on login |ignores leading and | |trailling whitespaces on | |login | ------- Comment #15 from dmueller@novell.com 2007-04-24 16:21 MST ------- submitted for 10.2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=213235 ------- Comment #16 from thomas@novell.com 2007-05-30 03:10 MST ------- packages released -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com