Bug 308651 - pam_stack.so service=system-auth behaving differently compared to explicit setting of configuration
pam_stack.so service=system-auth behaving differently compared to explicit se...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam (Show other bugs)
4.5
All Linux
urgent Severity high
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks: 246627
  Show dependency treegraph
 
Reported: 2007-09-27 05:38 EDT by Jose Plans
Modified: 2010-10-22 15:00 EDT (History)
2 users (show)

See Also:
Fixed In Version: RHBA-2008-0707
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-07-24 15:53:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (651 bytes, patch)
2007-09-27 05:38 EDT, Jose Plans
no flags Details | Diff
pam_stack.log (8.88 KB, text/plain)
2007-09-27 05:39 EDT, Jose Plans
no flags Details
pamtest.c (1.38 KB, text/x-csrc)
2007-09-27 05:43 EDT, Jose Plans
no flags Details
Correct patch (3.68 KB, patch)
2007-09-27 06:08 EDT, Tomas Mraz
no flags Details | Diff
Patch implementing this as optional behavior. (7.21 KB, patch)
2007-11-27 12:45 EST, Tomas Mraz
no flags Details | Diff

  None (edit)
Description Jose Plans 2007-09-27 05:38:27 EDT
Description of problem:

When expiring passwords, pam_chauthtok() doesn't seem to be initialised with an
already flushed pair of authentication tokens when using pam_stack.so. 
In fact, when debugging the pam_stack debug output we could see PAM_AUTHTOK was
not NULL forcing pam modules to not prompt for a password change which allowed
an authentication.

After speaking with Tomas this is considered a bug since pam_stack.so doesn't
drop PAM_AUTHTOK from a child when its parent didn't have it setup.
The original code doesn't seem to take this in account and after making the
changes it solved the issue.

Using pam_stack.so instead of a explicit pam configuration such as system-auth


Version-Release number of selected component (if applicable):
pam-0.77-66.23

How reproducible:
Always

Steps to Reproduce:
1. Install pam_unix2
2. Setup a stack with pam_stack as follows:
% cat /etc/pam.d/pamtest
--
#%PAM-1.0
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth debug
auth       required     /lib/security/$ISA/pam_nologin.so
account    required     /lib/security/$ISA/pam_stack.so service=system-auth debug
password   required     /lib/security/$ISA/pam_stack.so service=system-auth debug
session    required     /lib/security/$ISA/pam_stack.so service=system-auth debug
session    required     /lib/security/$ISA/pam_loginuid.so
--
% cat /etc/pam.d/system-auth
--
auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_shells.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_unix2.so set_secrpc
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_access.so
account     required      /lib/security/$ISA/pam_unix2.so
password    sufficient    /lib/security/$ISA/pam_unix2.so
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     optional      /lib/security/$ISA/pam_mkhomedir.so
session     required      /lib/security/$ISA/pam_unix2.so

3. Expire the user password.
4. Use a pam client (I have attached the one we used to replicate this issue).
5. Try to authenticate the user.
  
Actual results:

PAM authentication
Password:
PAM authentication
Your password has expired. Choose a new password.
PAM authentication
Old Password:
PAM authentication  <---------- falls through never prompting for new password.
NIS+ password information changed for bogo21000
NIS+ credential information changed for bogo21000
PAM authentication
Password changed.

Expected results:

PAM authentication
Password:
PAM authentication
Your password has expired. Choose a new password.
PAM authentication
Old Password:
PAM authentication
New password:             <------- New password prompt shows
PAM authentication
Re-enter new password:
PAM authentication
NIS+ password information changed for bogo21000
NIS+ credential information changed for bogo21000
PAM authentication
Password changed.

Additional info:

Attachments:
 - proposed patch
 - logs from pam_stack showing this behavior
 - pamtest.c
 
Let me know if there is anything else we need to provide.
    Jose
Comment 1 Jose Plans 2007-09-27 05:38:27 EDT
Created attachment 208011 [details]
proposed patch
Comment 2 Jose Plans 2007-09-27 05:39:03 EDT
Created attachment 208021 [details]
pam_stack.log
Comment 3 Jose Plans 2007-09-27 05:43:57 EDT
Created attachment 208031 [details]
pamtest.c
Comment 4 Tomas Mraz 2007-09-27 06:08:07 EDT
Created attachment 208071 [details]
Correct patch

This is a correct patch.

I'm not sure we should fix this pam_stack behavior though. The reasons:

1. pam_stack is deprecated in RHEL-5
2. Although the current behavior is strictly speaking a bug some other
customers configurations might depend on this exact behavior and they will
break if we fix this.

So instead I simply recommend the customer to work around this bug by simply
not using pam_stack. Or just move the pam_unix2 out of the system-auth.
Comment 11 Tomas Mraz 2007-11-27 12:45:12 EST
Created attachment 269941 [details]
Patch implementing this as optional behavior.
Comment 12 RHEL Product and Program Management 2007-11-28 22:57:35 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 28 errata-xmlrpc 2008-07-24 15:53:23 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0707.html

Note You need to log in before you can comment on or make changes to this bug.