Bug 1312442 - gnome-screensaver doesn't audit unlocks for non-pam_unix modules
gnome-screensaver doesn't audit unlocks for non-pam_unix modules
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam (Show other bugs)
x86_64 Linux
unspecified Severity high
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2016-02-26 12:19 EST by tpacyga
Modified: 2016-03-15 22:32 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-03-14 06:52:42 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description tpacyga 2016-02-26 12:19:31 EST
Description of problem:
When locking the screen with gnome-screensaver, followed by an unlock, the authentication attempt does not get logged if it's an LDAP user (a unix system user gets audited correctly). Now, when I initially login, using gdm, both LDAP and unix users get audited correctly, because I am assuming gdm does the actual auditing. In the case of gnome-screensaver, since it runs with the permissions of the user doing the lock and not root, it doesn't have permission to audit. In that case it relies on the individual pam modules to perform the auditing as is the case with pam_unix. pam_unix runs unix_chkpwd which has a setuid bit, which does the actual auditing if the uid is not 0. I was wondering if it makes sense to do something similar with pam_ldap, since I think it is important for screen unlocks to be properly audited. Maybe there needs to be an actual change to gnome-screensaver instead, since I am sure there are other pam modules with similar issues.

Version-Release number of selected component (if applicable):
gnome-screensaver - 2.28.3

How reproducible:
Reproducible every time

Steps to Reproduce:
1. Login with a user that gets authenticated through pam_unix
2. Lock the screen with gnome-screensaver
3. Enter password/unlock the screen
4. Check audit logs, see USER_AUTH message appears
5. Logout with unix user/login with a user that gets authenticated through pam_ldap
6. Lock the screen with gnome-screensaver
7. Enter password/unlock the screen
8. Check audit logs, no messages related to the unlock appear

Actual results:
No audit messages generated

Expected results:
A USER_AUTH audit message with a success/failure, similar to when unlocking with a unix user

Additional info:
Set as high, because security related
Comment 2 tpacyga 2016-02-26 15:12:33 EST
I should add, this is similar to "Bug 443432 - gnome-screensaver doesn't audit failed unlock attempts," but that one seems to deal with just the pam_unix case.
Comment 3 Jakub Hrozek 2016-03-10 06:18:45 EST
pam_ldap doesn't audit on its own, just linux-pam does IIUC. 

on a tangent, please don't use pam_ldap, sssd is a much better choice.
Comment 4 Tomas Mraz 2016-03-14 06:52:42 EDT
There is no way to achieve this because the auditing of pam_unix here happens due to the unix_chkpwd helper being setuid. The screensaver runs with the regular user uid and cannot audit on itself.
Comment 5 tpacyga 2016-03-15 22:32:00 EDT
OK, thanks for your responses.

Note You need to log in before you can comment on or make changes to this bug.