Bug 196859 - stacked PAM_ACTION_{BAD,DIE} and PAM_IGNORE will wrongfully authenticate a user
Summary: stacked PAM_ACTION_{BAD,DIE} and PAM_IGNORE will wrongfully authenticate a user
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam
Version: 4.0
Hardware: All
OS: Linux
high
high
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-06-27 11:45 UTC by Navid Sheikhol-Eslami
Modified: 2015-01-08 00:13 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-06-27 12:01:58 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
patch that fixes stacked PAM_IGNORE return (413 bytes, patch)
2006-06-27 11:45 UTC, Navid Sheikhol-Eslami
no flags Details | Diff

Description Navid Sheikhol-Eslami 2006-06-27 11:45:59 UTC
Created attachment 131596 [details]
patch that fixes stacked PAM_IGNORE return

Comment 1 Navid Sheikhol-Eslami 2006-06-27 11:45:59 UTC
Description of problem:

It may be possible for a user to successfully authenticate via PAM while
configuration would suggest a failure.

This will happen if all the following conditions are met:

- the user trying to authenticate exists
- an "auth" module is called from pam_stack
- this module returns PAM_IGNORE for pam_authenticate()
- action is [default=die] -OR- action is [default=bad] and module is at end of
the stack

Version-Release number of selected component (if applicable):

pam-0.77 (apparently also applies to upstream 0.99.4.0)

How reproducible:

It is possible to reproduce this using "pam_debug", although the same problem
was observed using a much more complex configuration using LDAP + pam_ccreds.

Steps to Reproduce:
1. add the following line to /etc/pam.d/system-auth: "auth [default=die]
/lib/security/$ISA/pam_debug auth=ignore"
2. try to login as "root" from console (must use /etc/pam.d/login, GDM won't work)
  
Actual results:

Authentication is successful and root shell is given.

Expected results:

Authentication fails.

Additional info:

This is happening in libpam/pam_dispatch.c because _pam_dispatch_aux() will
return back PAM_IGNORE, and since pam_stack is a "required" (equivalent to
[success=ok new_authtok_reqd=ok ignore=ignore default=bad]) it will be ignored
and authentication successful.

_pam_dispatch_aux() should not return PAM_IGNORE if action is _PAM_ACTION_BAD or
_PAM_ACTION_DIE, but rather PAM_MUST_FAIL_CODE (=PAM_PERM_DENIED).

I am attaching a patch that fixes this behavior.

Comment 2 Tomas Mraz 2006-06-27 12:01:58 UTC
I'm sorry, but this is not possible to change without upstream acceptance and I
don't agree with the change too. This is not really a bug but a feature of the
stack processing in libpam.

pam_stack is deprecated and that's one of the reasons why.

It should be possible to use jump actions to workaround this issue.


Comment 3 Tomas Mraz 2006-06-27 12:05:16 UTC
I will consult this bug report with other upstream developers. If it is agreed
to change this behavior upstream we can reconsider it.


Note You need to log in before you can comment on or make changes to this bug.