Bug 594903 - insufficient error checking in pam_succeed_if
insufficient error checking in pam_succeed_if
Status: CLOSED NEXTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
5.5
All Linux
medium Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
: Patch
Depends On:
Blocks: 590060
  Show dependency treegraph
 
Reported: 2010-05-21 17:42 EDT by Jeff Bastian
Modified: 2012-07-27 15:55 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-10-17 04:22:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
backport Fedora 12 pam_succeed_if to RHEL 5 (3.93 KB, patch)
2010-05-21 17:57 EDT, Jeff Bastian
no flags Details | Diff

  None (edit)
Description Jeff Bastian 2010-05-21 17:42:40 EDT
Description of problem:
pam_succeed_if does not sufficiently check for errors in the options given to it.

This can result in at least two problems:
  1. no errors or warnings about the bad options in syslog
  2. it can leave a session broken wrt audit uid (auid) in the audit logs
     which makes the audit logs useless for audit


Version-Release number of selected component (if applicable):
pam-0.99.6.2-6.el5

How reproducible:
every time

Steps to Reproduce:
1. Enable logging of everything with syslog.  Add this line to /etc/syslog.conf and restart syslogd:
*.*                                                     /var/log/debug

2. Edit /etc/pam.d/system-auth-ac and add this line after all the session lines:
session     sufficient    pam_succeed_if.so debug uid=0

   Note that 'uid=0' is intentionally wrong.  It should be 'uid eq 0', i.e.,
   there should be white space between the arguments and '=' should be 'eq'
   for a numerical comparison (not string).

   The entire session section should look like:
session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     sufficient    pam_succeed_if.so debug uid=0


3. Run 'tail -f /var/log/debug' and 'tail -f /var/log/audit/audit.log' as root

4. Login to the box as a regular user
  
Actual results:
There are no warnings or errors in /var/log/debug about 'uid=0' being incorrect

The audit logs show auid=4294967295 instead of the real uid.  For example:
type=USER_ACCT msg=audit(1274476121.524:1780): user pid=5262 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: accounting acct="johndoe" : exe="/usr/sbin/sshd" (hostname=system.example.com, addr=192.168.0.1, terminal=ssh res=success)'


Expected results:
A warning or error indicating 'uid=0' is bad.

The correct auid in the audit logs.


Additional info:
Comment 1 Jeff Bastian 2010-05-21 17:57:45 EDT
Created attachment 415789 [details]
backport Fedora 12 pam_succeed_if to RHEL 5

I compared the pam_succeed_if.c source from RHEL 5.5 and Fedora 12 and it hasn't changed much except for better option parsing and more error checking.  When I used this module on RHEL 5, it fixed both problems.

1. An error now appears in /var/log/debug:
May 21 16:26:46 system sshd[5367]: pam_succeed_if(sshd:session): incomplete condition detected

2. The audit auid is correct, 500 instead of 4294967295:
type=USER_START msg=audit(1274477206.630:1797): user pid=5367 uid=0 auid=500 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: session open acct="johndoe" : exe="/usr/sbin/sshd" (hostname=system.example.com, addr=192.168.0.1, terminal=ssh res=success)'
Comment 2 Jeff Bastian 2010-05-21 18:02:26 EDT
I forgot a step in the reproducer method:

0. Add two audit rules:
auditctl -a exit,never -F 'auid>2147483645'
auditctl -a exit,always -F 'auid!=0' -F uid=0 -S execve
Comment 4 Tomas Mraz 2010-05-24 02:34:56 EDT
The problem 2 is actually a problem of your misconfiguration and not really pam_succeed_if problem in any way. You should never put 'sufficient' module in the session pam stack as the pam_loginuid or other modules in the concrete service configuration files could be skipped this way.

But the problem 1 is real.
Comment 7 RHEL Product and Program Management 2011-01-11 15:57:19 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 8 RHEL Product and Program Management 2011-01-11 18:20:02 EST
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.
Comment 11 RHEL Product and Program Management 2011-05-31 09:36:42 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 12 RHEL Product and Program Management 2011-09-22 20:16:53 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Note You need to log in before you can comment on or make changes to this bug.