Bug 443432 - gnome-screensaver doesn't audit failed unlock attempts
Summary: gnome-screensaver doesn't audit failed unlock attempts
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: pam
Version: 9
Hardware: All
OS: Linux
low
high
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-21 15:06 UTC by LC Bruzenak
Modified: 2008-06-06 17:26 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-06 15:09:00 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description LC Bruzenak 2008-04-21 15:06:46 UTC
Description of problem:
The gnome-screensaver does not audit failed unlock attempts.

Version-Release number of selected component (if applicable):
gnome-screensaver-2.22.1-1.fc9.i386

How reproducible:
always

Steps to Reproduce:
1.Login
2.Lock screen
3.enter bogus password
4. Search audit log for failed attempt (ausearch -i -x gnome-screensaver)
5. Ideally this would yield the answer I think:
ausearch -i -x gnome-screensaver -sv no
  
Actual results:
There are no "screen unlock" failures

Expected results:
There should be "screen unlock" failures

Additional info:
There are several audit events for the screensaver; you may need to pipe output
to grep "lock". Depending on Steve Grubb's advice I may file another bz to cover
those.

Comment 1 LC Bruzenak 2008-05-05 16:07:37 UTC
From looking at the priority field description I believe it should be changed to
high; maybe normal at the least. But since this is a loss of data deemed to be
security-relevant I believe it needs a higher priority if not also severity. 
The fix isn't urgently needed, but I'd like to see it addressed in the near
future if possible.

Comment 2 Bug Zapper 2008-05-14 09:51:57 UTC
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 3 Ted X Toth 2008-06-06 14:15:02 UTC
gnome-screensaver launches gnome-screensaver-dialog which uses pam to
reauthenticate the user. However since gnome-screensaver-dialog is run as the
user and not root it can't audit. In SELinux enforcing the audit failure causes
an authentication failure which means the user can not log back in through the
screen saver dialog.

Comment 4 Ray Strode [halfline] 2008-06-06 14:41:17 UTC
gnome-screensaver-dialog shouldn't run as root.

pam_unix uses a setuid helper to handle any heavy lifting it needs to do.

If audit is failing, must be a problem with pam_unix i guess.

Comment 5 Tomas Mraz 2008-06-06 15:09:00 UTC
You have to use 'ausearch -i -x unix_chkpwd -sv no' instead. The authentication
and auditing of the authentication attempt is done by unix_chkpwd helper in case
of screensaver and other non-root processes which call pam.


Comment 6 Ted X Toth 2008-06-06 15:29:50 UTC
Instead of what? Here is that AVC that cause the authentication failure when
SELinux is in enforcing mode and the gnome-screensaver-dialog is being used to
reauthenticate. 
type=AVC msg=audit(1212758291.296:156): avc:  denied  { create } for  pid=4079
comm="gnome-screensav" scontext=user_u:user_r:user_t:s0
tcontext=user_u:user_r:user_t:s0 tclass=netlink_audit_socket

Should I open a new bug?

Comment 7 Ted X Toth 2008-06-06 15:41:09 UTC
Also in /var/log/secure I get:
Jun  5 10:34:04 localhost gnome-screensaver-dialog: PAM audit_open() failed:
Permission denied


Comment 8 Ray Strode [halfline] 2008-06-06 17:26:39 UTC
So Tomas was answering comment 0.  You're issue is slightly different, so might
be better to open a new bug against pam.


Note You need to log in before you can comment on or make changes to this bug.