Bug 152771

Summary: CAN-2003-0388 pam_wheel uses getlogin in insecure fashion
Product: [Retired] Fedora Legacy Reporter: Marc Deslauriers <marc.deslauriers>
Component: pamAssignee: Fedora Legacy Bugs <bugs>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: botsch, mschout, pekkas
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0388
Whiteboard: LEGACY, rh73, rh90
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-05-18 20:51:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Lawrence 2005-03-30 23:26:53 UTC 
If the "trust" option is enabled in the pam_wheel configuration file
and the "use_uid" option is disabled, any local user may spoof the
username returned by getlogin() and gain access to a super-user account
without supplying a password.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0388
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=98826
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=98020



------- Additional Comments From dwb7.edu 2004-08-31 12:36:12 ----

RH seems to have taken a newer version of PAM and adapted it to allow it to
build under AS2.1 ... since AS2.1 is 7.x, this should work fine under rh7.3




------- Additional Comments From dwb7.edu 2004-08-31 12:41:35 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Built packages for RH7.3:

29e5b7b840a2f49efb3bde1178e245d750d58058 *pam-0.75-46.9.legacy.7x.i386.rpm
1a2faaea448b955ecb65e415704a63eebdb5ccf4 *pam-0.75-46.9.legacy.7x.src.rpm
b16b4604ca121c827f91240d36b54387a3e5a14d
*pam-devel-0.75-46.9.legacy.7x.i386.rpm

download from 
http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/pam

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBNP58SY7s7uPf/IURAoOwAJ9KrHb/gWK17rEETrnaxVib3G1YlgCgrYfK
wAYJSBp0v+klsw4kRiUBCIg=
=Fs7l
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley 2004-09-01 04:29:32 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
1a2faaea448b955ecb65e415704a63eebdb5ccf4  ./pam-0.75-46.9.legacy.7x.src.rpm
 
flex should be added to the build reqs:
 
[ ... ]
bison -d -p _pc_yy config.y
config.y contains 1 shift/reduce conflict.
sh ./sed-static config.tab.c
flex -Cr -oconfig.lex.c -P_pc_yy config.l
make[2]: flex: Command not found
make[2]: *** [config.lex.c] Error 127
make[2]: Leaving directory
`/usr/src/redhat/BUILD/Linux-PAM-0.75/modules/pam_console'
 
but Redhat doesn't have it in there.
 
Package builds fine after installing flex.
 
29e5b7b840a2f49efb3bde1178e245d750d58058  ./pam-0.75-46.9.legacy.7x.i386.rpm
 
On a test box, I checked /bin/login, /bin/su, /usr/bin/sudo and
/usr/bin/passwd (as root, and as a user -- with cracklib test).  All
of them behaved normally.  The trust exploit requires that the user
edit /etc/pam.d/* files (su), and requires a member of the 'wheel'
group to be logged in.  I couldn't find a published exploit, so I
didn't double-check that it is fixed (however, this is from RHEL2, so
it should be fine).
 
Please PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBNdy9yQ+yTHz+jJkRAgQeAJ9GTw+pq4p8Ztpw0euvKxEZYpjumgCdFbGE
byJ5fYoWBhBGUvq3V5cYwt8=
=CI7p
-----END PGP SIGNATURE-----




------- Additional Comments From jpdalbec 2004-09-01 04:42:20 ----

Created an attachment (id=827)
Differences between the previous RHL 7.3 pam and the update

There are about 64k of differences.  I don't see anything that looks malicious,
but there's a lot there.  I unpacked the differing binary files so those
differences can be seen (in the modules/ subdirectories).  I gzipped the diff
file so it can't be edited.  Here's the detached signature for the attachment:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQBBNd0GJL4A+ldA7asRArfIAJ9/AXf62ifwjU2Wf6doo+Iq7Ur7mACfSDEh
dQGbC3fEnJjF2POPG9s9RKo=
=QV9q
-----END PGP SIGNATURE-----
Here are signed (sha1, md5)sums for the attachment:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

pam-0.75-46.7.3-46.9.legacy.7x.diff.gz:
9fc2859c7a79705b888890d6a003d2775ea465ac  (sha1sum)
b8decf9dcf0dda23ef4489dd5bf400bd  (md5sum)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBNd8iJL4A+ldA7asRAo5mAJ9uWodPKqp/wHSt4U368fznCDGbIQCfV/cd
1PZnZBCINE/Lg6s08sZlIKY=
=PIPN
-----END PGP SIGNATURE-----




------- Additional Comments From dwb7.edu 2004-09-02 03:39:54 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Built packages for RH7.3: (change from previous -- added BuildPrereq of flex)

sha1sum -b *
5b2644d237bd49a6a00f4e5e2b05130339f57a82 *pam-0.75-46.9.legacy.7x.i386.rpm
47d9413916d5efd7f453adac70dc00889af5392f *pam-0.75-46.9.legacy.7x.src.rpm
6e361eb5e8999d038fc0f97f44662971be0bc1ba
*pam-devel-0.75-46.9.legacy.7x.i386.rpm

download from 
http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/pam

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBNyKJSY7s7uPf/IURAp6zAKC18RU5fN59VVuoT4fyfulm6uwfjQCgmPmf
asZ7lbqy4O/ooMaiiamC7rs=
=yxgr
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley 2004-09-02 04:44:49 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
47d9413916d5efd7f453adac70dc00889af5392f pam-0.75-46.9.legacy.7x.src.rpm
 
# diff pam.spec-new pam.spec-old
103c103
< BuildPrereq: autoconf, bison, glib-devel, sed, fileutils, cracklib,
cracklib-dicts, flex
- ---
> BuildPrereq: autoconf, bison, glib-devel, sed, fileutils, cracklib,
cracklib-dicts
436,438d435
< * Thu Sep 02 2004 Dave Bostch <dwb7.edu>
< - Added flex to BuildPrereq
<
 
Flex is added, it looks good
 
PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBNzHDyQ+yTHz+jJkRAsTSAKC/W2E6yUL3bBh+JU2sTZgx/1tu/QCguI11
jYz1N9/Hl3y2wgAIlCJbieg=
=iZ7k
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-10-21 16:37:36 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the following package:

47d9413916d5efd7f453adac70dc00889af5392f pam-0.75-46.9.legacy.7x.src.rpm

- - Source files match RHEL2.1 pam update
- - Spec file changes from RHEL2.1 update are OK
- - Spec file changes and patch changes from previous rh73 release appear OK
- - Builds and runs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBeHKJLMAs/0C4zNoRAmSxAJ0Y9BOqxaZhuD3nI7uXNA3ii1AwOACeODhv
RPIGQgoE3nCSIiITedcLzos=
=tT3Z
-----END PGP SIGNATURE-----




------- Additional Comments From pekkas 2005-02-26 00:32:45 ----

There have been also other bugfixes in the RHEL track since, like:
https://rhn.redhat.com/errata/RHBA-2004-575.html.  Nothing major though; it
would be easy to roll new RHL73 packages, but probably not worth the effort.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package for RHL9 for QA:
 - I took the latest RHEL3 update as-is, except I disabled LAUS support
 - looking at the spec file, the only functional difference I see is that
   now "postgresok" authentication module is also included.  Shouldn't be
   an issue, but easy to disable if so.
 - installed OK, logins, su, etc. seemed to work OK

http://www.netcore.fi/pekkas/linux/pam-0.75-62.9.legacy.src.rpm (RHL9)

2e30e4f4b8ddefe7923ea8a09191495958b5d6fe  pam-0.75-62.9.legacy.src.rpm

* Sat Feb 26 2005 Pekka Savola <pekkas> 0.75-62.9.legacy
 - rebuild for Fedora Legacy to fix CAN-2003-0388 and minor bugs (#2010)
[..plus the RHEL3 changelog...]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFCIFAiGHbTkzxSL7QRAp9oAJ9mXxBKUn2cTxNBoKom45nkx51jFwCgxMEy
HBMb4LC6CsS6ANkaVfayBDo=
=Osrw
-----END PGP SIGNATURE-----





------- Additional Comments From pekkas 2005-02-26 01:08:55 ----

Sigh.  In case we want to care about #2146 (wrong console.perms for cdwriters
etc.), those patches need to go here as well.  It's not clear which bug number
should be used to track the packages fixing both (if we want to fix both).



------- Additional Comments From marcdeslauriers 2005-02-26 03:45:01 ----

I don't think we should fix 2146. It will break too many things and no other
distro seems to have fixed it. I think we should just stick with this one.



------- Additional Comments From marcdeslauriers 2005-03-02 16:31:25 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the rh9 package from comment 8:

2e30e4f4b8ddefe7923ea8a09191495958b5d6fe  pam-0.75-62.9.legacy.src.rpm

- - Source files match previous version plus updates
- - New patches are reasonable
- - Spec file changes are reasonable
- - Builds and runs OK

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCJnbsLMAs/0C4zNoRAjG+AKCXRlvo3nmUVZG1MlKnupGrc+1glQCfa+D8
A8kn6LxqLkwuYKocqvkr390=
=emji
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-03-05 04:55:30 ----

Packages were pushed to updates-testing



------- Additional Comments From jimpop 2005-03-05 07:18:53 ----


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OK, I applied the pam test release to an acceptance level RH73 box and verified
some diffs with a production server.

   bb7b9e1c63be2eb2064b46eacaf8d0ce68594d11  pam-0.75-46.10.legacy.7x.i386.rpm

  ---------------------------------------
  $ diff /etc/pam.d/chkrootkit  /mnt/prod-IPDAER0036MIA1/etc/pam.d/chkrootkit
  3d2
  < auth       sufficient   pam_timestamp.so
  7d5
  < session    optional     pam_timestamp.so
  diff /etc/pam.d/other /mnt/prod-IPDAER0036MIA1/etc/pam.d/other
  2,5c2,5
  < auth     required       /lib/security/$ISA/pam_deny.so
  < account  required       /lib/security/$ISA/pam_deny.so
  < password required       /lib/security/$ISA/pam_deny.so
  < session  required       /lib/security/$ISA/pam_deny.so
  ---
  > auth     required       /lib/security/pam_deny.so
  > account  required       /lib/security/pam_deny.so
  > password required       /lib/security/pam_deny.so
  > session  required       /lib/security/pam_deny.so
  Only in /etc/pam.d/: system-auth.rpmnew
  -----------------------------------------

soooo what's diff between system-auth and system-auth.rpmnew?

  -----------------------------------------
  $ diff /etc/pam.d/system-auth.rpmnew /etc/pam.d/system-auth
  4,6c4,6
  < auth        required      /lib/security/$ISA/pam_env.so
  < auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
  < auth        required      /lib/security/$ISA/pam_deny.so
  ---
  > auth        required      /lib/security/pam_env.so
  > auth        sufficient    /lib/security/pam_unix.so likeauth nullok
  > auth        required      /lib/security/pam_deny.so
  8c8
  < account     required      /lib/security/$ISA/pam_unix.so
  ---
  > account     required      /lib/security/pam_unix.so
  10,12c10,12
  < password    required      /lib/security/$ISA/pam_cracklib.so retry=3
  < password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
  < password    required      /lib/security/$ISA/pam_deny.so
  ---
  > password    required      /lib/security/pam_cracklib.so retry=3 type=
  > password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow
  > password    required      /lib/security/pam_deny.so
  14,15c14,15
  < session     required      /lib/security/$ISA/pam_limits.so
  < session     required      /lib/security/$ISA/pam_unix.so
  ---
  > session     required      /lib/security/pam_limits.so
  > session     required      /lib/security/pam_unix.so
  -----------------------------------------

What's all that $ISA stuff???

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFCKemNuhh7yV/E9I4RAjhFAJ4h4EoNYQwLQ65bpqIQ6DtpzDq8ywCfXH2i
DpAGrHVsiRErEc7J9YXh1Nc=
=zi2p
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2005-03-05 08:59:09 ----

This $ISA stuff was added in newer pam versions in order to support multiple
architectures.

See:
http://www.opengroup.org/pubs/corrigenda/u039f.htm

The change AFAIK was introduced in an earlier RH update, not this one.



------- Additional Comments From jimpop 2005-03-05 09:11:10 ----

Granted I guess there is some merit to the rational behind $ISA, however to me
that's a security hole if all it takes is setting a system environment variable
(not trivial, but not completely impossible) to change the authentication module
used by "su -". 

-Jim P.



------- Additional Comments From madhatter 2005-03-05 11:49:28 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

622eac1455b5ccb0cf75705cc0f42b3226f9cc31 pam-0.75-62.10.legacy.i386.rpm
18c330ff1ef063f21a3b3c8eb297d09bb004ee67 pam-devel-0.75-62.10.legacy.i386.rpm

installed on RH9.  i can ssh in, change my password with passwd, and su.
hopefully these all use pam (they all have entries in /etc/pam.d).

+VERIFY RH9

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCKilTePtvKV31zw4RAvuNAKCgrCNbz81gcBCCsLqcu0nJ+TFUywCbBsbH
BsMj/2nrFVVnm+Ba9JghBv4=
=k5HZ
-----END PGP SIGNATURE-----




------- Bug moved to this database by dkl 2005-03-30 18:26 -------

This bug previously known as bug 2010 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2010
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Differences between the previous RHL 7.3 pam and the update
https://bugzilla.fedora.us/attachment.cgi?action=view&id=827

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.
Comment 1 mschout 2005-05-12 20:01:24 UTC 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

RHL7.3 verify

sha1:
bb7b9e1c63be2eb2064b46eacaf8d0ce68594d11  pam-0.75-46.10.legacy.7x.i386.rpm
9af62c26654ba14bde7bf6e3b59b9b4f62fd5d35  pam-devel-0.75-46.10.legacy.7x.i386.rpm

signatures:
pam-0.75-46.10.legacy.7x.i386.rpm: md5 gpg OK
pam-devel-0.75-46.10.legacy.7x.i386.rpm: md5 gpg OK

packages install with out any errors or warnings.

I have been using these packages on 6 production 7.3 machines for over 1 month
with no problems.

+VERIFY RHL7.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (FreeBSD)

iD8DBQFCg7YF+CqvSzp9LOwRAtQxAJ4vP3gluhiMlMFngd3NAgmck+Q9vACgqxYF
Jh9XKuTpigTJTKamkID/17E=
=c5Mq
-----END PGP SIGNATURE-----
Comment 2 Marc Deslauriers 2005-05-18 20:51:48 UTC 
These packages were officially released