Red Hat Bugzilla – Bug 103440
pam_localusers incorrectly compares users.
Last modified: 2015-01-07 19:06:22 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030619
Description of problem:
The routine uses an incorrect comparison in
If the user "abcXYZ" is authorized it wrongly assumes that a user "abc" is
authorized too. i.e. if we had a user "ro" it would be as authorized as "root" is.
Version-Release number of selected component (if applicable):
pam-0.75-48, the one in rawhide has the same bug
Steps to Reproduce:
1. create an account for a nice user "anna".
2. create an account for a bad user "ann".
3. Add a restriction to /etc/pam.d/sshd
account required /lib/security/pam_localuser.so file=/etc/nice_users debug
4. Authorize her using:
echo anna: > /etc/nice_users
Now both anna and ann can use the machine.
Expected Results: The user "anna" should be authorized but "ann" should not,
unless she is added to /etc/nice_users
I made a patch: http://www.camk.edu.pl/~chris/pam-0.75-localuser-strcmp.patch.gz
It applies to pam-0.75-48