Bug 308651

Summary: pam_stack.so service=system-auth behaving differently compared to explicit setting of configuration
Product: Red Hat Enterprise Linux 4 Reporter: Jose Plans <jplans>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: urgent    
Version: 4.5CC: sgrubb, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0707 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-24 19:53:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 246627    
Attachments:
Description Flags
proposed patch
none
pam_stack.log
none
pamtest.c
none
Correct patch
none
Patch implementing this as optional behavior. none

Description Jose Plans 2007-09-27 09:38:27 UTC
Description of problem:

When expiring passwords, pam_chauthtok() doesn't seem to be initialised with an
already flushed pair of authentication tokens when using pam_stack.so. 
In fact, when debugging the pam_stack debug output we could see PAM_AUTHTOK was
not NULL forcing pam modules to not prompt for a password change which allowed
an authentication.

After speaking with Tomas this is considered a bug since pam_stack.so doesn't
drop PAM_AUTHTOK from a child when its parent didn't have it setup.
The original code doesn't seem to take this in account and after making the
changes it solved the issue.

Using pam_stack.so instead of a explicit pam configuration such as system-auth


Version-Release number of selected component (if applicable):
pam-0.77-66.23

How reproducible:
Always

Steps to Reproduce:
1. Install pam_unix2
2. Setup a stack with pam_stack as follows:
% cat /etc/pam.d/pamtest
--
#%PAM-1.0
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth debug
auth       required     /lib/security/$ISA/pam_nologin.so
account    required     /lib/security/$ISA/pam_stack.so service=system-auth debug
password   required     /lib/security/$ISA/pam_stack.so service=system-auth debug
session    required     /lib/security/$ISA/pam_stack.so service=system-auth debug
session    required     /lib/security/$ISA/pam_loginuid.so
--
% cat /etc/pam.d/system-auth
--
auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_shells.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_unix2.so set_secrpc
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_access.so
account     required      /lib/security/$ISA/pam_unix2.so
password    sufficient    /lib/security/$ISA/pam_unix2.so
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     optional      /lib/security/$ISA/pam_mkhomedir.so
session     required      /lib/security/$ISA/pam_unix2.so

3. Expire the user password.
4. Use a pam client (I have attached the one we used to replicate this issue).
5. Try to authenticate the user.
  
Actual results:

PAM authentication
Password:
PAM authentication
Your password has expired. Choose a new password.
PAM authentication
Old Password:
PAM authentication  <---------- falls through never prompting for new password.
NIS+ password information changed for bogo21000
NIS+ credential information changed for bogo21000
PAM authentication
Password changed.

Expected results:

PAM authentication
Password:
PAM authentication
Your password has expired. Choose a new password.
PAM authentication
Old Password:
PAM authentication
New password:             <------- New password prompt shows
PAM authentication
Re-enter new password:
PAM authentication
NIS+ password information changed for bogo21000
NIS+ credential information changed for bogo21000
PAM authentication
Password changed.

Additional info:

Attachments:
 - proposed patch
 - logs from pam_stack showing this behavior
 - pamtest.c
 
Let me know if there is anything else we need to provide.
    Jose

Comment 1 Jose Plans 2007-09-27 09:38:27 UTC
Created attachment 208011 [details]
proposed patch

Comment 2 Jose Plans 2007-09-27 09:39:03 UTC
Created attachment 208021 [details]
pam_stack.log

Comment 3 Jose Plans 2007-09-27 09:43:57 UTC
Created attachment 208031 [details]
pamtest.c

Comment 4 Tomas Mraz 2007-09-27 10:08:07 UTC
Created attachment 208071 [details]
Correct patch

This is a correct patch.

I'm not sure we should fix this pam_stack behavior though. The reasons:

1. pam_stack is deprecated in RHEL-5
2. Although the current behavior is strictly speaking a bug some other
customers configurations might depend on this exact behavior and they will
break if we fix this.

So instead I simply recommend the customer to work around this bug by simply
not using pam_stack. Or just move the pam_unix2 out of the system-auth.

Comment 11 Tomas Mraz 2007-11-27 17:45:12 UTC
Created attachment 269941 [details]
Patch implementing this as optional behavior.

Comment 12 RHEL Program Management 2007-11-29 03:57:35 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 28 errata-xmlrpc 2008-07-24 19:53:23 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0707.html