Bug 103440 - pam_localusers incorrectly compares users.
pam_localusers incorrectly compares users.
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: pam (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jindrich Novy
Jay Turner
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-30 11:22 EDT by Krzysio (Chris) Leszczynski
Modified: 2015-01-07 19:06 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-21 04:20:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Krzysio (Chris) Leszczynski 2003-08-30 11:22:38 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030619

Description of problem:

The routine uses an incorrect comparison in 
BUILD/Linux-PAM-0.75/modules/pam_localuser/pam_localuser.c:114
If the user "abcXYZ" is authorized it wrongly assumes that a user "abc" is
authorized too.  i.e. if we had a user "ro" it would be as authorized as "root" is.

Version-Release number of selected component (if applicable):
pam-0.75-48, the one in rawhide has the same bug

How reproducible:
Always

Steps to Reproduce:
1. create an account for a nice user "anna".  

2. create an account for a bad user "ann".

3. Add a restriction to /etc/pam.d/sshd
   account required /lib/security/pam_localuser.so file=/etc/nice_users debug

4. Authorize her using:
   echo anna: > /etc/nice_users


    

Actual Results:  
Now both anna and ann can use the machine.

Expected Results:  The user "anna" should be authorized but "ann" should not,
unless she is added to /etc/nice_users

Additional info:

I made a patch: http://www.camk.edu.pl/~chris/pam-0.75-localuser-strcmp.patch.gz
It applies to pam-0.75-48

Note You need to log in before you can comment on or make changes to this bug.