80223 – Abstraction violation: Bad responsibility separation between 'passwd' and PAM

Bug 80223 - Abstraction violation: Bad responsibility separation between 'passwd' and PAM

Summary: Abstraction violation: Bad responsibility separation between 'passwd' and PAM

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	passwd
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Mike McLean
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-12-22 18:48 UTC by Konstantin Andreev
Modified:	2007-11-30 22:10 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-12-02 15:27:57 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Konstantin Andreev 2002-12-22 18:48:37 UTC

From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 95)

Description of problem:
The following checks found in passwd.c source code:

1) L240: Only root can do that
2) L250: Only root can specify a user name
3) L299: Unknown user name

and, maybe (I'm not sure),

4) L290: Can not identify you

are not valid in PAM-aware password changing utility. These are the legacy 
checks, suitable for only pwdb ( /etc/{shadow,passwd} ) -aware utility. If 
using PAM, these check should be delegated to the corresponded pam_unix* and 
pam_pwdb modules.

Having these checks in 'passwd' will cause malfunctioning in the following 
environments:

1) where authentification subsystem, other than pwdb is used (some kind of 
remote authentification)
2) where filesystems supporting ACL are used.
3) ...

Version-Release number of selected component (if applicable):
passwd-0.67-3
pam-0.75-24

How reproducible: (not applicable)
Steps to Reproduce: (not applicable)
Actual Results:  (not applicable)
Expected Results:  (not applicable)

Comment 1 Tomas Mraz 2005-09-08 17:01:17 UTC

I will reconsider this in future.

Comment 2 Tomas Mraz 2005-12-02 12:45:29 UTC

Removing the checks would be a potential security problem as passwd is setuid
utility. Making passwd non-setuid would require changing pam_unix (and possibly
other PAM modules which take care of user passwords) to be able to change
passwords with uid != 0.

Comment 3 Konstantin Andreev 2005-12-02 13:22:25 UTC

(In reply to comment #2)
> Removing the checks would be a potential security problem as passwd is setuid
> utility. Making passwd non-setuid would require changing pam_unix (and 
possibly
> other PAM modules which take care of user passwords) to be able to change
> passwords with uid != 0.
> 

In other words, you are telling: "I do not know how to cope with this."

Yes, it's not easy. The question is not setuid OR not-setuid.  The question is 
about system design. You should change it to have a robust system.

Comment 4 Tomas Mraz 2005-12-02 15:27:57 UTC

No, I'm not telling "I do not know how to cope with this." I'm just telling
there aren't and in foreseeable future won't be resources available for doing this.

Feel free to create the necessary patches for all affected packages and submit
them for review.

Note You need to log in before you can comment on or make changes to this bug.