Red Hat Bugzilla – Bug 1312442
gnome-screensaver doesn't audit unlocks for non-pam_unix modules
Last modified: 2016-03-15 22:32:00 EDT
Description of problem:
When locking the screen with gnome-screensaver, followed by an unlock, the authentication attempt does not get logged if it's an LDAP user (a unix system user gets audited correctly). Now, when I initially login, using gdm, both LDAP and unix users get audited correctly, because I am assuming gdm does the actual auditing. In the case of gnome-screensaver, since it runs with the permissions of the user doing the lock and not root, it doesn't have permission to audit. In that case it relies on the individual pam modules to perform the auditing as is the case with pam_unix. pam_unix runs unix_chkpwd which has a setuid bit, which does the actual auditing if the uid is not 0. I was wondering if it makes sense to do something similar with pam_ldap, since I think it is important for screen unlocks to be properly audited. Maybe there needs to be an actual change to gnome-screensaver instead, since I am sure there are other pam modules with similar issues.
Version-Release number of selected component (if applicable):
gnome-screensaver - 2.28.3
Reproducible every time
Steps to Reproduce:
1. Login with a user that gets authenticated through pam_unix
2. Lock the screen with gnome-screensaver
3. Enter password/unlock the screen
4. Check audit logs, see USER_AUTH message appears
5. Logout with unix user/login with a user that gets authenticated through pam_ldap
6. Lock the screen with gnome-screensaver
7. Enter password/unlock the screen
8. Check audit logs, no messages related to the unlock appear
No audit messages generated
A USER_AUTH audit message with a success/failure, similar to when unlocking with a unix user
Set as high, because security related
I should add, this is similar to "Bug 443432 - gnome-screensaver doesn't audit failed unlock attempts," but that one seems to deal with just the pam_unix case.
pam_ldap doesn't audit on its own, just linux-pam does IIUC.
on a tangent, please don't use pam_ldap, sssd is a much better choice.
There is no way to achieve this because the auditing of pam_unix here happens due to the unix_chkpwd helper being setuid. The screensaver runs with the regular user uid and cannot audit on itself.
OK, thanks for your responses.