Bug 177331 - CVE-2006-7108 login omits pam_acct_mgmt & pam_chauthtok when authentication is skipped.
CVE-2006-7108 login omits pam_acct_mgmt & pam_chauthtok when authentication i...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: util-linux (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karel Zak
Ben Levenson
source=bugzilla,reported=20060109,pub...
: Security
Depends On:
Blocks: 176344
  Show dependency treegraph
 
Reported: 2006-01-09 14:03 EST by Craig Lawson
Modified: 2007-11-30 17:07 EST (History)
2 users (show)

See Also:
Fixed In Version: RHSA-2007-0235
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-05-01 13:17:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Craig Lawson 2006-01-09 14:03:10 EST
Description of problem:
login omits pam_acct_mgmt & chauth_tok when authentication is skipped.
Authentication may be skipped, for example, during krlogin because Kerberos
already took care of it. The problem with skipping pam_acct_mgmt is that it
allows users to use the system when maybe they should not be allowed, such that
if they have a Kerberos ticket, the other checks do not apply.

If a user had to use password authentication, pam_acct_mgmt may reject the user
for several reasons: not allowed to use the system at this time, not allowed to
use this system, user's account has been disabled, etc. Why should these tests
be skipped just because the user has a ticket?

Same with pam_chauthtok: the user may have a valid ticket, but if their password
has expired, they need to enter a new one right now.

Version-Release number of selected component (if applicable):
util-linux-2.12a-16.EL4.12

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Here is a patch:
***************
*** 634,650 ****
  	    fprintf(stderr,_("\nLogin incorrect\n"));
  	    pam_end(pamh, retcode);
  	    exit(0);
  	}
  
  	retcode = pam_acct_mgmt(pamh, 0);
  
  	if(retcode == PAM_NEW_AUTHTOK_REQD) {
  	    retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
  	}
  
  	PAM_FAIL_CHECK;
-     }
  
      /*
       * Grab the user information out of the password file for future usage
       * First get the username that we are actually using, though.
--- 634,650 ----
  	    fprintf(stderr,_("\nLogin incorrect\n"));
  	    pam_end(pamh, retcode);1
  	    exit(0);
  	}
+     }
  
      retcode = pam_acct_mgmt(pamh, 0);
  
      if(retcode == PAM_NEW_AUTHTOK_REQD) {
          retcode = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
      }
  
      PAM_FAIL_CHECK;
  
      /*
       * Grab the user information out of the password file for future usage
       * First get the username that we are actually using, though.
Comment 1 Craig Lawson 2006-01-09 14:31:18 EST
That patch was for login.c, after all RedHat patches have been applied.
Comment 2 Karel Zak 2006-02-07 04:49:39 EST
Good catch. Please, use "diff -u" next time. Thanks!
Comment 3 Karel Zak 2006-02-22 16:00:50 EST
Fixed in FC5.
Comment 10 RHEL Product and Program Management 2006-08-18 12:49:05 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 16 Mark J. Cox (Product Security) 2007-03-08 08:11:26 EST
Note was assigned CVE-2006-7108
Comment 21 Red Hat Bugzilla 2007-05-01 13:17:46 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0235.html

Note You need to log in before you can comment on or make changes to this bug.