Bug 1312442

Summary: gnome-screensaver doesn't audit unlocks for non-pam_unix modules
Product: Red Hat Enterprise Linux 6 Reporter: tpacyga
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.7CC: pkis, pvrabec
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-03-14 10:52:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description tpacyga 2016-02-26 17:19:31 UTC 
Description of problem:
When locking the screen with gnome-screensaver, followed by an unlock, the authentication attempt does not get logged if it's an LDAP user (a unix system user gets audited correctly). Now, when I initially login, using gdm, both LDAP and unix users get audited correctly, because I am assuming gdm does the actual auditing. In the case of gnome-screensaver, since it runs with the permissions of the user doing the lock and not root, it doesn't have permission to audit. In that case it relies on the individual pam modules to perform the auditing as is the case with pam_unix. pam_unix runs unix_chkpwd which has a setuid bit, which does the actual auditing if the uid is not 0. I was wondering if it makes sense to do something similar with pam_ldap, since I think it is important for screen unlocks to be properly audited. Maybe there needs to be an actual change to gnome-screensaver instead, since I am sure there are other pam modules with similar issues.

Version-Release number of selected component (if applicable):
gnome-screensaver - 2.28.3

How reproducible:
Reproducible every time

Steps to Reproduce:
1. Login with a user that gets authenticated through pam_unix
2. Lock the screen with gnome-screensaver
3. Enter password/unlock the screen
4. Check audit logs, see USER_AUTH message appears
5. Logout with unix user/login with a user that gets authenticated through pam_ldap
6. Lock the screen with gnome-screensaver
7. Enter password/unlock the screen
8. Check audit logs, no messages related to the unlock appear

Actual results:
No audit messages generated

Expected results:
A USER_AUTH audit message with a success/failure, similar to when unlocking with a unix user

Additional info:
Set as high, because security related
Comment 2 tpacyga 2016-02-26 20:12:33 UTC 
I should add, this is similar to "Bug 443432 - gnome-screensaver doesn't audit failed unlock attempts," but that one seems to deal with just the pam_unix case.
Comment 3 Jakub Hrozek 2016-03-10 11:18:45 UTC 
pam_ldap doesn't audit on its own, just linux-pam does IIUC. 

on a tangent, please don't use pam_ldap, sssd is a much better choice.
Comment 4 Tomas Mraz 2016-03-14 10:52:42 UTC 
There is no way to achieve this because the auditing of pam_unix here happens due to the unix_chkpwd helper being setuid. The screensaver runs with the regular user uid and cannot audit on itself.
Comment 5 tpacyga 2016-03-16 02:32:00 UTC 
OK, thanks for your responses.