[Bug 1030210] New: PAM grants network access through NM without or/and with the wrong root password
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210 Bug ID: 1030210 Summary: PAM grants network access through NM without or/and with the wrong root password Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: x86-64 OS: openSUSE 42.2 Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: stakanov@freenet.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- System: 42.2 with kernel stable and lightdm DE is KDE File settings are "Local secure". In the system I did set that user "A" is only owner of a certain WLAN network, not the others. Once the WLAN is open, this network should not be modifiable by the others but only by user "A". First observation: the request for the root password is completely erratic. You are asked for the root password "in order to modify network settings" no matter what. This takes place on all logged in users, spontaneous, even without(!) touching any network function. This popup just pops up to be clicked away. Now in the user that handles a WLAN network that is handling a WLAN WPA2 AP and that has set "connect in automatic" the root password is asked anyways. "in order to modify..." as in all users. Unfortunately if you fail to give that root password three times........you are presented to the kwallet password, in order to start the network. And that works (I am writing you from that access right now). Summary: PAM asks for every user at logging in an undue way the root password in order to modify the network settings. However it grants access to the network even with root password, just clicking away the password entry window. It also grants access (with the wallet password) when you type in just the wrong root password. This behavior is random and presents without any understandable pattern. It is however very frequent, thus not a one time occasion, thus it triggered this bug report. a) do not ask for a root password when not required b) make honor the root password if for any reason you do require it c) make sure that, when a wrong root password or non at all is given.... the action is not granted if really the root password was requested. d) honor the settings that the user that owns the password should be able to connect to it without root password from his own account - unless for global necessity you do not have to ask for the root password - but then a and b and c apply. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210#c2
--- Comment #2 from Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210#c4
--- Comment #4 from Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210#c5
--- Comment #5 from Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210#c6
Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210#c7
Alexander Bergmann
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210#c8
Stakanov Schufter
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210
http://bugzilla.opensuse.org/show_bug.cgi?id=1030210#c9
Stakanov Schufter
participants (1)
-
bugzilla_noreply@novell.com