Bug 497333 - lchsh asks twice for password and needs set-root-id on ldap accounts
lchsh asks twice for password and needs set-root-id on ldap accounts
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: libuser (Show other bugs)
14
All Linux
low Severity low
: ---
: ---
Assigned To: Miloslav Trmač
Fedora Extras Quality Assurance
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-04-23 08:35 EDT by Herbert Gasiorowski
Modified: 2011-03-24 09:21 EDT (History)
3 users (show)

See Also:
Fixed In Version: libuser-0.57-1.fc15
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-10 13:31:08 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Herbert Gasiorowski 2009-04-23 08:35:45 EDT
Description of problem:

changing the shell for an ldap account needs "only" to authentificate to ldap
server in order to change the shell (or password).
So there is no reason to authentificate to pam (and therefore run as root)

Version-Release number of selected component (if applicable):
libuser-0.56.9-1.i386

How reproducible:

run lchsh without set root id ( and no [imports] in /etc/libuser.conf)
or
run lchsh with root id set and you need to enter password twice


Additional info:

Maybe it is possible to integrate libuser into "authconfig --enableldapauth".
Comment 1 Miloslav Trmač 2009-04-24 05:32:05 EDT
Thanks for your report.

I can't recommend making lchsh setuid root - libuser has not undergone any serious security review.  This is inconsistent with the requirement of PAM authentication.

I'm a bit worried that removing the PAM authentication will turn lch* into a security hole in installations that currently make lsch* setuid root.
Comment 2 Herbert Gasiorowski 2009-04-24 08:13:35 EDT
ok, I will replace lchsh by the following script:

#!/bin/sh
LDAPHOST=ldaphost
BASE=dc=mathematik,dc=uni-marburg,dc=de
DN=uid=$LOGNAME,ou=People,$BASE

if [ "$1" = "" ]; then
	echo "USAGE: $0 new-login-shell" >&2
	exit 2
fi
if ! grep -q "^$1\$" /etc/shells; then
	echo "! shell '$1' not in /etc/shells" >&1
	exit 1
fi

ldapmodify -x -W -h $LDAPHOST -D $DN <<EOF
dn: $DN
changetype: modify
replace: loginShell
loginShell: $1
EOF
Comment 3 Bug Zapper 2009-11-18 07:50:37 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Miloslav Trmač 2009-11-18 11:05:02 EST
It seems skipping the authentication if (!lu_uses_elevated_privileges() && (application is not set-uid nor-set-gid)) would be safe.
Comment 5 Miloslav Trmač 2010-09-07 14:48:03 EDT
Fixed in upstream commit f105137faf05
Comment 6 Bug Zapper 2010-11-04 07:19:06 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Fabrice Bellet 2010-12-22 11:14:44 EST
The upstream fix works for me, thanks. It would be great to push a fedora package update including this patch.
Comment 8 Miloslav Trmač 2010-12-22 12:09:21 EST
I'd rather not do such a behavior change - however an updated upstream release should land in rawhide soon-ish.
Comment 9 Miloslav Trmač 2011-01-10 13:31:08 EST
Fix released in rawhide libuser-0.57-1.fc15.
Comment 10 Aleksey Nogin 2011-03-23 14:19:07 EDT
Any chance of this being fixed on RHEL5?
Comment 11 Miloslav Trmač 2011-03-24 09:21:18 EDT
(In reply to comment #10)
> Any chance of this being fixed on RHEL5?
I don't think this behavior should be changed in an existing release, for the same reasons the behavior was not changed in F14.

For RHEL5 we could provide a separate binary (say /usr/bin/lchsh-noauth), which skips the PAM authentication (while leaving the behavior of the /usr/bin/lchsh unchanged).  If you are a Red Hat customer with an active subscription, please visit the Red Hat Customer Portal at http://access.redhat.com/ to allow correct prioritization of such a change.

Note You need to log in before you can comment on or make changes to this bug.