Bug 63172 - pam_userlist is buggy
pam_userlist is buggy
Status: CLOSED RAWHIDE
Product: Red Hat Public Beta
Classification: Retired
Component: kapabilities (Show other bugs)
skipjack-beta2
All Linux
high Severity high
: ---
: ---
Assigned To: wdovlrrw
:
Depends On:
Blocks: 61901
  Show dependency treegraph
 
Reported: 2002-04-10 16:16 EDT by Nalin Dahyabhai
Modified: 2008-05-01 11:38 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2002-04-15 18:25:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nalin Dahyabhai 2002-04-10 16:16:25 EDT
The pam_userlist module has numerous problems.

There is no documentation.

The module determine's the user's identity by using the getuid() function, which
will cause it to not work properly when called from an application like login or
ftpd.

When parsing arguments, it uses strtok(), which will destroy any context a
calling application might have.  While this is allowed, it is highly undesirable.

When determining the current user's name, it uses getpwuid(), which will destroy
any preexisting queries an application might have made.  This problem in
pam_limits led to strange behavior with OpenSSH's sshd.  Like strtok(), this is
allowed but undesirable.

When checking if the current user is in a group, only the primary group ID is
checked.  Supplemental group memberships are ignored.
Comment 1 Bernhard Rosenkraenzer 2002-04-15 09:31:26 EDT
As discussed in email, getuid() and friends have to be used to get the  
functionality it provides. I've added documentation explaining what it is and  
why it can't be used for services like login or ftpd.  
  
The strtok usage is ok since it operates on a strdup()'ed string, the calling 
application isn't affected. 
 
Support for supplementary groups has been added in 1.0.1-1.
Comment 2 Nalin Dahyabhai 2002-04-15 16:36:04 EDT
You seem to be confusing strtok() and strtok_r() here.  This bug is still
present in 1.0.1, and my other misgivings about including it in a release still
stand.
Comment 3 Nalin Dahyabhai 2002-04-15 18:25:45 EDT
pam_userlist checks the current group, and then the user's default group list,
which may have changed if the user ran sg(1) or newgrp(1), or if the login
session used pam_groups to modify the user's group list.  It should use
getgroups() to retrieve the current supplemental groups list instead.
Comment 4 Bernhard Rosenkraenzer 2002-04-16 11:57:33 EDT
Really fixed in 1.0.2-1.

Note You need to log in before you can comment on or make changes to this bug.