308651 – pam_stack.so service=system-auth behaving differently compared to explicit setting of configuration

Bug 308651 - pam_stack.so service=system-auth behaving differently compared to explicit setting of configuration

Summary: pam_stack.so service=system-auth behaving differently compared to explicit se...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	pam
Sub Component:
Version:	4.5
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	246627
TreeView+	depends on / blocked

Reported:	2007-09-27 09:38 UTC by Jose Plans
Modified:	2018-10-19 22:23 UTC (History)
CC List:	2 users (show)
Fixed In Version:	RHBA-2008-0707
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-07-24 19:53:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
proposed patch (651 bytes, patch) 2007-09-27 09:38 UTC, Jose Plans	no flags	Details \| Diff
pam_stack.log (8.88 KB, text/plain) 2007-09-27 09:39 UTC, Jose Plans	no flags	Details
pamtest.c (1.38 KB, text/x-csrc) 2007-09-27 09:43 UTC, Jose Plans	no flags	Details
Correct patch (3.68 KB, patch) 2007-09-27 10:08 UTC, Tomas Mraz	no flags	Details \| Diff
Patch implementing this as optional behavior. (7.21 KB, patch) 2007-11-27 17:45 UTC, Tomas Mraz	no flags	Details \| Diff
Show Obsolete (2) View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2008:0707	0	normal	SHIPPED_LIVE	pam bug fix and enhancement update	2008-07-23 16:29:30 UTC

Description Jose Plans 2007-09-27 09:38:27 UTC

Description of problem:

When expiring passwords, pam_chauthtok() doesn't seem to be initialised with an
already flushed pair of authentication tokens when using pam_stack.so. 
In fact, when debugging the pam_stack debug output we could see PAM_AUTHTOK was
not NULL forcing pam modules to not prompt for a password change which allowed
an authentication.

After speaking with Tomas this is considered a bug since pam_stack.so doesn't
drop PAM_AUTHTOK from a child when its parent didn't have it setup.
The original code doesn't seem to take this in account and after making the
changes it solved the issue.

Using pam_stack.so instead of a explicit pam configuration such as system-auth


Version-Release number of selected component (if applicable):
pam-0.77-66.23

How reproducible:
Always

Steps to Reproduce:
1. Install pam_unix2
2. Setup a stack with pam_stack as follows:
% cat /etc/pam.d/pamtest
--
#%PAM-1.0
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth debug
auth       required     /lib/security/$ISA/pam_nologin.so
account    required     /lib/security/$ISA/pam_stack.so service=system-auth debug
password   required     /lib/security/$ISA/pam_stack.so service=system-auth debug
session    required     /lib/security/$ISA/pam_stack.so service=system-auth debug
session    required     /lib/security/$ISA/pam_loginuid.so
--
% cat /etc/pam.d/system-auth
--
auth        required      /lib/security/$ISA/pam_env.so
auth        required      /lib/security/$ISA/pam_shells.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_unix2.so set_secrpc
auth        required      /lib/security/$ISA/pam_deny.so
account     required      /lib/security/$ISA/pam_access.so
account     required      /lib/security/$ISA/pam_unix2.so
password    sufficient    /lib/security/$ISA/pam_unix2.so
password    required      /lib/security/$ISA/pam_deny.so
session     required      /lib/security/$ISA/pam_limits.so
session     optional      /lib/security/$ISA/pam_mkhomedir.so
session     required      /lib/security/$ISA/pam_unix2.so

3. Expire the user password.
4. Use a pam client (I have attached the one we used to replicate this issue).
5. Try to authenticate the user.
  
Actual results:

PAM authentication
Password:
PAM authentication
Your password has expired. Choose a new password.
PAM authentication
Old Password:
PAM authentication  <---------- falls through never prompting for new password.
NIS+ password information changed for bogo21000
NIS+ credential information changed for bogo21000
PAM authentication
Password changed.

Expected results:

PAM authentication
Password:
PAM authentication
Your password has expired. Choose a new password.
PAM authentication
Old Password:
PAM authentication
New password:             <------- New password prompt shows
PAM authentication
Re-enter new password:
PAM authentication
NIS+ password information changed for bogo21000
NIS+ credential information changed for bogo21000
PAM authentication
Password changed.

Additional info:

Attachments:
 - proposed patch
 - logs from pam_stack showing this behavior
 - pamtest.c
 
Let me know if there is anything else we need to provide.
    Jose

Comment 1 Jose Plans 2007-09-27 09:38:27 UTC

Created attachment 208011 [details]
proposed patch

Comment 2 Jose Plans 2007-09-27 09:39:03 UTC

Created attachment 208021 [details]
pam_stack.log

Comment 3 Jose Plans 2007-09-27 09:43:57 UTC

Created attachment 208031 [details]
pamtest.c

Comment 4 Tomas Mraz 2007-09-27 10:08:07 UTC

Created attachment 208071 [details]
Correct patch

This is a correct patch.

I'm not sure we should fix this pam_stack behavior though. The reasons:

1. pam_stack is deprecated in RHEL-5
2. Although the current behavior is strictly speaking a bug some other
customers configurations might depend on this exact behavior and they will
break if we fix this.

So instead I simply recommend the customer to work around this bug by simply
not using pam_stack. Or just move the pam_unix2 out of the system-auth.

Comment 11 Tomas Mraz 2007-11-27 17:45:12 UTC

Created attachment 269941 [details]
Patch implementing this as optional behavior.

Comment 12 RHEL Program Management 2007-11-29 03:57:35 UTC

This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 28 errata-xmlrpc 2008-07-24 19:53:23 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0707.html

Note You need to log in before you can comment on or make changes to this bug.