Bug 1949137
| Summary: | pam_usertype has flawed logic for system accounts. | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Martin Poole <mpoole> | |
| Component: | pam | Assignee: | Iker Pedrosa <ipedrosa> | |
| Status: | CLOSED ERRATA | QA Contact: | Anuj Borah <aborah> | |
| Severity: | low | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.3 | CC: | aborah, dchen, pbrezina, tm | |
| Target Milestone: | beta | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | sync-to-jira review | |||
| Fixed In Version: | pam-1.3.1-21.el8 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2078421 (view as bug list) | Environment: | ||
| Last Closed: | 2022-11-08 10:48:39 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2078421 | |||
Related code
static int
pam_usertype_is_system(pam_handle_t *pamh, uid_t uid)
{
uid_t uid_min;
uid_t sys_min;
uid_t sys_max;
if (uid == (uid_t)-1) {
pam_syslog(pamh, LOG_WARNING, "invalid uid");
return PAM_USER_UNKNOWN;
}
if (uid <= 99) {
/* Reserved. */
return PAM_SUCCESS;
}
if (uid == PAM_USERTYPE_OVERFLOW_UID) {
/* nobody */
return PAM_SUCCESS;
}
uid_min = pam_usertype_get_id(pamh, "UID_MIN", PAM_USERTYPE_UIDMIN);
sys_min = pam_usertype_get_id(pamh, "SYS_UID_MIN", PAM_USERTYPE_SYSUIDMIN);
sys_max = pam_usertype_get_id(pamh, "SYS_UID_MAX", uid_min - 1);
return uid >= sys_min && uid <= sys_max ? PAM_SUCCESS : PAM_AUTH_ERR;
}
static int
pam_usertype_is_regular(pam_handle_t *pamh, uid_t uid)
{
int ret;
ret = pam_usertype_is_system(pamh, uid);
switch (ret) {
case PAM_SUCCESS:
return PAM_AUTH_ERR;
case PAM_USER_UNKNOWN:
return PAM_USER_UNKNOWN;
default:
return PAM_SUCCESS;
}
}
===================================================================
So according to the code, the followings UID are system users:
* UID<=99
* UID is between SYS_UID_MIN and SYS_UID_MAX
* Kernel overflow uid: default is 65534
And for regular users:
UID not in the system users except (uid_t)-1)
I agree with Martin here. All the UIDs <= SYS_UID_MAX should be treated as system. I'd simply drop the check of SYS_UID_MIN. Although maybe there should be also some more sanity checking logic to verify that the uid is < UID_MIN. I.e., uid <= SYS_UID_MAX && uid < UID_MIN master:
pam_usertype: only use SYS_UID_MAX for system users - 370064ef6f99581b08d473a42bb3417d5dda3e4e
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (pam bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7723 |
Description of problem: pam_usertype has flawed assumptions in determining what constitutes a system account. The code has a hard-coded check for UID < 100 and then checks the uid is between SYS_UID_MIN and SYS_UID_MAX from /etc/login.defs The problem is that this range is not the range of systems accounts. It is the available range to allocate new system accounts after deployment. RHEL-8 default values for these are SYS_UID_MIN 201 SYS_UID_MAX 999 The range 100-200 is also for system accounts, but the range is specifically excluded from the login.defs range to provide a pool for explicit allocations for certain packages that rely on a fixed id. Version-Release number of selected component (if applicable): pam-1.3.1-11.el8 Additional info: The least worst fix for now is probably just to test uid <= SYS_UID_MAX There is no lookup I can think of that will give a definitive answer. /etc/login.defs is a config file, available for tweaking as the customer wishes and might make the two ranges anything.