The pam_setquota module iterates over all mounted file systems using `setmntent()` and `getmntent()`. It tries to find the longest match of a file system mounted on /home/$USER or above (except when the explicit fs=/some/path parameter is passed to the pam module). The home directory /home/$USER is owned by the unprivileged user, however. There exist tools like `fusermount` from libfuse which is by default installed setuid-root for everybody. `fusermount` allows unprivileged users to mount a FUSE file system using an arbitrary source device name.
Created pam tracking bugs for this issue: Affects: fedora-all [bug 1851409]
Reference: https://www.openwall.com/lists/oss-security/2020/06/04/5 https://bugzilla.suse.com/show_bug.cgi?id=1171721 Upstream Fix: https://github.com/linux-pam/linux-pam/commit/27ded8954a1235bb65ffc9c730ae5a50b1dfed61
I'm not completely sure if I should post this information in this bugzilla or in https://bugzilla.redhat.com/show_bug.cgi?id=1851409, but as I have seen more people included in this one I have decided to do it here. Fedora 32 and below versions don't include pam_setquota.so module, so this vulnerability doesn't affect those versions. Besides, when I included pam_setquota module in Fedora rawhide, 33 and above, I did so by rebasing to release 1.4.0. This release already includes the upstream fix indicated by Michael. Thus, in my opinion, this bugzilla can be closed as not a bug.
Statement: pam_setquota module is not included in pam packages shipped with Red Hat Enterprise products.
External References: https://www.openwall.com/lists/oss-security/2020/06/04/5 https://github.com/linux-pam/linux-pam/commit/27ded8954a1235bb65ffc9c730ae5a50b1dfed61