Bug 177331
| Summary: | CVE-2006-7108 login omits pam_acct_mgmt & pam_chauthtok when authentication is skipped. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 4 | Reporter: | Craig Lawson <craig.lawson> |
| Component: | util-linux | Assignee: | Karel Zak <kzak> |
| Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4.0 | CC: | mike.patnode, tmraz |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | source=bugzilla,reported=20060109,public=20060109,impact=low | ||
| Fixed In Version: | RHSA-2007-0235 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-05-01 17:17:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 176344 | ||
That patch was for login.c, after all RedHat patches have been applied. Good catch. Please, use "diff -u" next time. Thanks! Fixed in FC5. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Note was assigned CVE-2006-7108 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0235.html |
Description of problem: login omits pam_acct_mgmt & chauth_tok when authentication is skipped. Authentication may be skipped, for example, during krlogin because Kerberos already took care of it. The problem with skipping pam_acct_mgmt is that it allows users to use the system when maybe they should not be allowed, such that if they have a Kerberos ticket, the other checks do not apply. If a user had to use password authentication, pam_acct_mgmt may reject the user for several reasons: not allowed to use the system at this time, not allowed to use this system, user's account has been disabled, etc. Why should these tests be skipped just because the user has a ticket? Same with pam_chauthtok: the user may have a valid ticket, but if their password has expired, they need to enter a new one right now. Version-Release number of selected component (if applicable): util-linux-2.12a-16.EL4.12 How reproducible: 100% Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Here is a patch: *************** *** 634,650 **** fprintf(stderr,_("\nLogin incorrect\n")); pam_end(pamh, retcode); exit(0); } retcode = pam_acct_mgmt(pamh, 0); if(retcode == PAM_NEW_AUTHTOK_REQD) { retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); } PAM_FAIL_CHECK; - } /* * Grab the user information out of the password file for future usage * First get the username that we are actually using, though. --- 634,650 ---- fprintf(stderr,_("\nLogin incorrect\n")); pam_end(pamh, retcode);1 exit(0); } + } retcode = pam_acct_mgmt(pamh, 0); if(retcode == PAM_NEW_AUTHTOK_REQD) { retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); } PAM_FAIL_CHECK; /* * Grab the user information out of the password file for future usage * First get the username that we are actually using, though.