Bug 196859 - stacked PAM_ACTION_{BAD,DIE} and PAM_IGNORE will wrongfully authenticate a user
stacked PAM_ACTION_{BAD,DIE} and PAM_IGNORE will wrongfully authenticate a user
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam (Show other bugs)
4.0
All Linux
high Severity high
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-27 07:45 EDT by Navid Sheikhol-Eslami
Modified: 2015-01-07 19:13 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-06-27 08:01:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch that fixes stacked PAM_IGNORE return (413 bytes, patch)
2006-06-27 07:45 EDT, Navid Sheikhol-Eslami
no flags Details | Diff

  None (edit)
Description Navid Sheikhol-Eslami 2006-06-27 07:45:59 EDT
Created attachment 131596 [details]
patch that fixes stacked PAM_IGNORE return
Comment 1 Navid Sheikhol-Eslami 2006-06-27 07:45:59 EDT
Description of problem:

It may be possible for a user to successfully authenticate via PAM while
configuration would suggest a failure.

This will happen if all the following conditions are met:

- the user trying to authenticate exists
- an "auth" module is called from pam_stack
- this module returns PAM_IGNORE for pam_authenticate()
- action is [default=die] -OR- action is [default=bad] and module is at end of
the stack

Version-Release number of selected component (if applicable):

pam-0.77 (apparently also applies to upstream 0.99.4.0)

How reproducible:

It is possible to reproduce this using "pam_debug", although the same problem
was observed using a much more complex configuration using LDAP + pam_ccreds.

Steps to Reproduce:
1. add the following line to /etc/pam.d/system-auth: "auth [default=die]
/lib/security/$ISA/pam_debug auth=ignore"
2. try to login as "root" from console (must use /etc/pam.d/login, GDM won't work)
  
Actual results:

Authentication is successful and root shell is given.

Expected results:

Authentication fails.

Additional info:

This is happening in libpam/pam_dispatch.c because _pam_dispatch_aux() will
return back PAM_IGNORE, and since pam_stack is a "required" (equivalent to
[success=ok new_authtok_reqd=ok ignore=ignore default=bad]) it will be ignored
and authentication successful.

_pam_dispatch_aux() should not return PAM_IGNORE if action is _PAM_ACTION_BAD or
_PAM_ACTION_DIE, but rather PAM_MUST_FAIL_CODE (=PAM_PERM_DENIED).

I am attaching a patch that fixes this behavior.
Comment 2 Tomas Mraz 2006-06-27 08:01:58 EDT
I'm sorry, but this is not possible to change without upstream acceptance and I
don't agree with the change too. This is not really a bug but a feature of the
stack processing in libpam.

pam_stack is deprecated and that's one of the reasons why.

It should be possible to use jump actions to workaround this issue.
Comment 3 Tomas Mraz 2006-06-27 08:05:16 EDT
I will consult this bug report with other upstream developers. If it is agreed
to change this behavior upstream we can reconsider it.

Note You need to log in before you can comment on or make changes to this bug.