Bug 594903
Summary: | insufficient error checking in pam_succeed_if | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Jeff Bastian <jbastian> | ||||
Component: | pam | Assignee: | Tomas Mraz <tmraz> | ||||
Status: | CLOSED NEXTRELEASE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 5.5 | CC: | cevich, james.brown | ||||
Target Milestone: | rc | Keywords: | Patch | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2011-10-17 08:22:28 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 590060 | ||||||
Attachments: |
|
Description
Jeff Bastian
2010-05-21 21:42:40 UTC
Created attachment 415789 [details]
backport Fedora 12 pam_succeed_if to RHEL 5
I compared the pam_succeed_if.c source from RHEL 5.5 and Fedora 12 and it hasn't changed much except for better option parsing and more error checking. When I used this module on RHEL 5, it fixed both problems.
1. An error now appears in /var/log/debug:
May 21 16:26:46 system sshd[5367]: pam_succeed_if(sshd:session): incomplete condition detected
2. The audit auid is correct, 500 instead of 4294967295:
type=USER_START msg=audit(1274477206.630:1797): user pid=5367 uid=0 auid=500 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: session open acct="johndoe" : exe="/usr/sbin/sshd" (hostname=system.example.com, addr=192.168.0.1, terminal=ssh res=success)'
I forgot a step in the reproducer method: 0. Add two audit rules: auditctl -a exit,never -F 'auid>2147483645' auditctl -a exit,always -F 'auid!=0' -F uid=0 -S execve The problem 2 is actually a problem of your misconfiguration and not really pam_succeed_if problem in any way. You should never put 'sufficient' module in the session pam stack as the pam_loginuid or other modules in the concrete service configuration files could be skipped this way. But the problem 1 is real. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. This request was erroneously denied for the current release of Red Hat Enterprise Linux. The error has been fixed and this request has been re-proposed for the current release. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. |