Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
When locking the screen with gnome-screensaver, followed by an unlock, the authentication attempt does not get logged if it's an LDAP user (a unix system user gets audited correctly). Now, when I initially login, using gdm, both LDAP and unix users get audited correctly, because I am assuming gdm does the actual auditing. In the case of gnome-screensaver, since it runs with the permissions of the user doing the lock and not root, it doesn't have permission to audit. In that case it relies on the individual pam modules to perform the auditing as is the case with pam_unix. pam_unix runs unix_chkpwd which has a setuid bit, which does the actual auditing if the uid is not 0. I was wondering if it makes sense to do something similar with pam_ldap, since I think it is important for screen unlocks to be properly audited. Maybe there needs to be an actual change to gnome-screensaver instead, since I am sure there are other pam modules with similar issues.
Version-Release number of selected component (if applicable):
gnome-screensaver - 2.28.3
How reproducible:
Reproducible every time
Steps to Reproduce:
1. Login with a user that gets authenticated through pam_unix
2. Lock the screen with gnome-screensaver
3. Enter password/unlock the screen
4. Check audit logs, see USER_AUTH message appears
5. Logout with unix user/login with a user that gets authenticated through pam_ldap
6. Lock the screen with gnome-screensaver
7. Enter password/unlock the screen
8. Check audit logs, no messages related to the unlock appear
Actual results:
No audit messages generated
Expected results:
A USER_AUTH audit message with a success/failure, similar to when unlocking with a unix user
Additional info:
Set as high, because security related
I should add, this is similar to "Bug 443432 - gnome-screensaver doesn't audit failed unlock attempts," but that one seems to deal with just the pam_unix case.
There is no way to achieve this because the auditing of pam_unix here happens due to the unix_chkpwd helper being setuid. The screensaver runs with the regular user uid and cannot audit on itself.