Bug 210120 - PAM passthru plugin causes directory server to crash
PAM passthru plugin causes directory server to crash
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Server - Plugins (Show other bugs)
1.0.2
All Linux
medium Severity high
: ---
: ---
Assigned To: Rich Megginson
Viktor Ashirov
:
Depends On:
Blocks: fds103trackingbug
  Show dependency treegraph
 
Reported: 2006-10-10 02:24 EDT by Miika Pekkarinen
Modified: 2015-12-07 12:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 12:07:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Simple patch to fix the issue (502 bytes, patch)
2006-10-10 02:24 EDT, Miika Pekkarinen
no flags Details | Diff
new diffs (1.57 KB, patch)
2006-10-10 11:30 EDT, Rich Megginson
no flags Details | Diff

  None (edit)
Description Miika Pekkarinen 2006-10-10 02:24:53 EDT
Description of problem:

Providing an incorrect authentication parameters for LDAP bind operation 
causes pam_passthru-plugin to pass a NULL pointer string to the system PAM 
authentication modules which will crash.

How reproducible:

Behaviour should be reproduceable with all versions.


Steps to Reproduce:
1. Make sure kerberos is used for PAM authentication
2. Enable pam_passthru -plugin
3. ldapsearch -x -D 'asdasdadf' -w asdasfas
4. Directory server crashes
  
Actual results:

Server is running fine and working correctly with a valid query like:
ldapsearch -x -b 'dc=valid,dc=data -D 'uid=user,ou=People,dc=valid,dc=data' -w 
blah123

But providing incorrect bind data crashes server immediately:
[root@auth0 fedora-ds]# ldapsearch -x -b 'dc=valid,dc=data -D 'blah123' -w 
blah123
ldap_bind: Can't contact LDAP server (-1)


Additional info:

A patch to fix this problem is provided as attachment. The fix was to prevent 
str being NULL.
Comment 1 Miika Pekkarinen 2006-10-10 02:24:53 EDT
Created attachment 138116 [details]
Simple patch to fix the issue
Comment 2 Rich Megginson 2006-10-10 09:56:18 EDT
Thanks!

In order to accept your patch into the codebase, we need to have a signed
Contributor License Agreement from you - see
http://directory.fedora.redhat.com/wiki/Contributing for more details.  We are
just about to release Fedora DS 1.0.3 and we would really like to get this bug
fix in, so please send in the CLA as soon as possible.  And thanks again.
Comment 3 Rich Megginson 2006-10-10 11:30:21 EDT
Created attachment 138150 [details]
new diffs

The previous patch would fix the problem, but I think it is better to just skip
the pam processing if there is a problem with the given bind dn.
Comment 4 Noriko Hosoi 2006-10-10 12:07:29 EDT
Looks good to me.
Comment 5 Rich Megginson 2006-10-10 12:32:49 EDT
Reviewed by: nhosoi (Thanks!)
Files: pam_ptimpl.c
Branch: HEAD
Fix Description: If the DN given in the BIND request is bogus i.e. not a valid
DN (at least not one that ldap_explode_dn can parse), we should just skip the
PAM processing and just report a reasonable error to the client.  Similarly, if
the map method says to lookup the pam ID from the bind DN entry, and the entry
cannot be found, just report an error and skip pam processing.
Platforms tested: FC5
Flag Day: no
Doc impact: no

Checking in pam_ptimpl.c;
/cvs/dirsec/ldapserver/ldap/servers/plugins/pam_passthru/pam_ptimpl.c,v  <-- 
pam_ptimpl.c
new revision: 1.9; previous revision: 1.8
done
Comment 6 Michael Gregg 2007-11-21 14:22:01 EST
 
I'm punting this because the pam_pasthrough plugin is not shipped with redhat-ds.
Comment 9 Amita Sharma 2011-06-20 02:56:58 EDT
PAM passthrough startup Tests  PASS   : 100% (13/13)
PAM passthrough run Tests  PASS       : 100% (9/9)
PAM passthrough cleanup Tests  PASS   : 100% (5/5)

hence marking Verified -sanity only.

Note You need to log in before you can comment on or make changes to this bug.