Red Hat Bugzilla – Bug 594903
insufficient error checking in pam_succeed_if
Last modified: 2012-07-27 15:55:05 EDT
Description of problem: pam_succeed_if does not sufficiently check for errors in the options given to it. This can result in at least two problems: 1. no errors or warnings about the bad options in syslog 2. it can leave a session broken wrt audit uid (auid) in the audit logs which makes the audit logs useless for audit Version-Release number of selected component (if applicable): pam-0.99.6.2-6.el5 How reproducible: every time Steps to Reproduce: 1. Enable logging of everything with syslog. Add this line to /etc/syslog.conf and restart syslogd: *.* /var/log/debug 2. Edit /etc/pam.d/system-auth-ac and add this line after all the session lines: session sufficient pam_succeed_if.so debug uid=0 Note that 'uid=0' is intentionally wrong. It should be 'uid eq 0', i.e., there should be white space between the arguments and '=' should be 'eq' for a numerical comparison (not string). The entire session section should look like: session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session sufficient pam_succeed_if.so debug uid=0 3. Run 'tail -f /var/log/debug' and 'tail -f /var/log/audit/audit.log' as root 4. Login to the box as a regular user Actual results: There are no warnings or errors in /var/log/debug about 'uid=0' being incorrect The audit logs show auid=4294967295 instead of the real uid. For example: type=USER_ACCT msg=audit(1274476121.524:1780): user pid=5262 uid=0 auid=4294967295 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: accounting acct="johndoe" : exe="/usr/sbin/sshd" (hostname=system.example.com, addr=192.168.0.1, terminal=ssh res=success)' Expected results: A warning or error indicating 'uid=0' is bad. The correct auid in the audit logs. Additional info:
Created attachment 415789 [details] backport Fedora 12 pam_succeed_if to RHEL 5 I compared the pam_succeed_if.c source from RHEL 5.5 and Fedora 12 and it hasn't changed much except for better option parsing and more error checking. When I used this module on RHEL 5, it fixed both problems. 1. An error now appears in /var/log/debug: May 21 16:26:46 system sshd[5367]: pam_succeed_if(sshd:session): incomplete condition detected 2. The audit auid is correct, 500 instead of 4294967295: type=USER_START msg=audit(1274477206.630:1797): user pid=5367 uid=0 auid=500 subj=system_u:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: session open acct="johndoe" : exe="/usr/sbin/sshd" (hostname=system.example.com, addr=192.168.0.1, terminal=ssh res=success)'
I forgot a step in the reproducer method: 0. Add two audit rules: auditctl -a exit,never -F 'auid>2147483645' auditctl -a exit,always -F 'auid!=0' -F uid=0 -S execve
The problem 2 is actually a problem of your misconfiguration and not really pam_succeed_if problem in any way. You should never put 'sufficient' module in the session pam stack as the pam_loginuid or other modules in the concrete service configuration files could be skipped this way. But the problem 1 is real.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
This request was erroneously denied for the current release of Red Hat Enterprise Linux. The error has been fixed and this request has been re-proposed for the current release.