Debian Bug report logs - #195048
login releases root privileges before executing PAM close session code

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "mike@flyn.org" <mike@flyn.org>

To: <submit@bugs.debian.org>

Subject: login releases root privileges before executing PAM close session code

Date: Wed, 28 May 2003 07:00:40 -0400

Package: login
Version: 4.0.3-8

Login gives up root privileges before executing PAM session closing code.  As a 
result, PAM modules that require root privileges to properly close a user's 
session fail to do so.

Neither gdm or su display this behavior.  Both of these programs retain root 
privileges while they execute PAM session closing code.  I believe this is the 
proper behavior (an email to the Linux-PAM mailing list stated that this is the 
case).

Pam_mount may fail to unmount a user's volumes when a user logs out due to this 
bug.

Message #10 received at 195048@bugs.debian.org (full text, mbox, reply):

From: "mike@flyn.org" <mike@flyn.org>

To: <195048@bugs.debian.org>

Subject: [patch] login releases root privileges before executing PAM close session code

Date: Sun, 01 Jun 2003 08:34:16 -0400

I have made a patch, available at 
http://www.flyn.org/patches/shadow_4.0.3-root_close/shadow_4.0.3-root_close.diff.gz,
 that fixes login's behavior with respect to PAM close session code.

Currently, login releases root privileges /before/ it forks to execute a shell.  
This results in PAM close session code running without root privileges when a 
normal user logs out.

My patch causes login to release root privileges /after/ it forks.  The shell is 
executed as a user but the clean-up code is executed as root.

Executing PAM close session code as root is correct behavior.  Gdm, su, etc. 
work this way.

Moving the release of root code further down in execution mean that a little bit 
more code is run as root than before.  I did not audit this code -- I am 
assuming that the code was written correctly.  Login does work when the patch is 
applied, though.

I have also sent this patch to the shadow maintainer, kloczek@pld.org.pl.

--
Mike

Message #15 received at 195048@bugs.debian.org (full text, mbox, reply):

From: "mike@flyn.org" <mike@flyn.org>

To: <195048@bugs.debian.org>

Date: Fri, 13 Jun 2003 02:38:25 -0400

--- shadow-4.0.3-vanilla/src/login.c    2002-03-07 22:30:28.000000000 -0600
+++ shadow-4.0.3/src/login.c    2003-06-01 15:30:56.000000000 -0500
@@ -1208,14 +1208,6 @@
        login_fbtab (tty, pwent.pw_uid, pwent.pw_gid);
 #endif
                                                                                

-       /* We call set_groups() above because this clobbers pam_groups.so */
-#ifndef USE_PAM
-       if (setup_uid_gid (&pwent, is_console))
-#else
-       if (change_uid (&pwent))
-#endif
-               exit (1);
-
 #ifdef KERBEROS
        if (clear_pass)
                login_kerberos (username, clear_pass);
@@ -1344,6 +1336,14 @@
                /* child */
        }
 #endif
+       /* We call set_groups() above because this clobbers pam_groups.so */
+#ifndef USE_PAM
+       if (setup_uid_gid (&pwent, is_console))
+#else
+       if (change_uid (&pwent))
+#endif
+               exit (1);
+
        signal (SIGINT, SIG_DFL);       /* default interrupt signal */
                                                                                

        endpwent ();    /* stop access to password file */

Message #20 received at 195048@bugs.debian.org (full text, mbox, reply):

From: Bastian Kleineidam <calvin@debian.org>

To: 195048@bugs.debian.org

Subject: Please be careful with this patch

Date: Mon, 8 Sep 2003 15:20:29 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I just wanted to make a note about this patch: please be _very_ careful
when applying it. This might just introduce a whole lot of security
flaws with unrelated software that relied on the fact that close_session
is executed without root privileges.

Mike, this does not say your patch is bad, but there is already a lot
of PAM session stuff out there and before nobody has looked at all of
those programs very closely, I vote against this patch.

Ciao, Bastian
- -- 
  ,''`.    Bastian Kleineidam  .  calvin (at) debian.org
 : :' :
 `. `'    GnuPG Schlüssel http://kampfwurst.net/gpgkey.txt
   `-

Sitzt ne Kuh aufm Baum und strickt Erdbeeren.
Kommt ein Polizist vorbei: "Angeln verboten!" "Was, schon halb fünf?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/XIIdeBwlBDLsbz4RAnRMAKCHVh1O5M0g4B+iyIl0bTnauJr6ogCfXsaI
v/jLhEXQ7szOpV7fZGzOLKU=
=MrLK
-----END PGP SIGNATURE-----

Message #25 received at 195048@bugs.debian.org (full text, mbox, reply):

From: Sam Hartman <hartmans@mit.edu>

To: Bastian Kleineidam <calvin@debian.org>

Cc: 195048@bugs.debian.org

Subject: Re: Bug#195048: Please be careful with this patch

Date: Thu, 11 Sep 2003 12:58:11 -0400

>>>>> "Bastian" == Bastian Kleineidam <calvin@debian.org> writes:

    Bastian> Hi, I just wanted to make a note about this patch: please
    Bastian> be _very_ careful when applying it. This might just
    Bastian> introduce a whole lot of security flaws with unrelated
    Bastian> software that relied on the fact that close_session is
    Bastian> executed without root privileges.

Hi.  A lot of other things already run close_session as root, and the
PAM mini-policy requires that close_sesion run as root.

Message #30 received at 195048-close@bugs.debian.org (full text, mbox, reply):

From: Karl Ramm <kcr@debian.org>

To: 195048-close@bugs.debian.org

Subject: Bug#195048: fixed in shadow 1:4.0.3-11

Date: Sat, 13 Sep 2003 18:02:45 -0400

Source: shadow
Source-Version: 1:4.0.3-11

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.0.3-11_i386.deb
  to pool/main/s/shadow/login_4.0.3-11_i386.deb
passwd_4.0.3-11_i386.deb
  to pool/main/s/shadow/passwd_4.0.3-11_i386.deb
shadow_4.0.3-11.diff.gz
  to pool/main/s/shadow/shadow_4.0.3-11.diff.gz
shadow_4.0.3-11.dsc
  to pool/main/s/shadow/shadow_4.0.3-11.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 195048@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Karl Ramm <kcr@debian.org> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sat, 13 Sep 2003 17:49:29 -0400
Source: shadow
Binary: login passwd
Architecture: source i386
Version: 1:4.0.3-11
Distribution: unstable
Urgency: low
Maintainer: Karl Ramm <kcr@debian.org>
Changed-By: Karl Ramm <kcr@debian.org>
Description: 
 login      - System login tools
 passwd     - Change and administer password and group data.
Closes: 195048 208122 210382
Changes: 
 shadow (1:4.0.3-11) unstable; urgency=low
 .
   * update Japanese debconf translation. closes: #210382
   * update Brazilian Portugese debconf translation. closes: #208122
   * run pam cleanup code as root. closes: #195048
Files: 
 cd87aa37474d7d44af88c118cae74f51 1383 base required shadow_4.0.3-11.dsc
 91160e7bf7660164227130a5845fd817 228855 base required shadow_4.0.3-11.diff.gz
 8159a6fad8370a794bf818a14f4d142a 429550 base required passwd_4.0.3-11_i386.deb
 80c9c4137320d2d3f1912540efe30d96 254554 base required login_4.0.3-11_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iQIVAwUBP2OSHHfSGPI1QaWIAQLuCQ//ZBzZ1/B8Q4KARLlpHMtR0XNxLAe4s6zg
ZHHZSCHY8ZrNmwJpkqsgktj4OR2jjf4pFacQiEuknPlSYIMGFQGv8FiEyVYmADcF
0fDR/5ai0GY3F55Yg81hhCFazbNHpia0BrFYLsoeadmyFQtjnTboXhoSzGNYVVsR
06H4vICeRth7HEnhjC2PL6bjjvnlIID2RQOHYeld0jXr1sqIJjm+qLt4477FkIra
tdoIEzwwzNn5Pf7Y0FqyzXciEUw42WU1b/KQgwzc66xJbrGX8jls0snEP2wCdiS1
oUwSrA25hy1WiaTSGqrq9SnMwu/XeKAw6khOJ+3+b3dPluLHX6hDEJnK1d/xES7B
IYvhqceEv7XLs94eUlVlrbsjWYv5Y3G/qIpe6Yl9WV395tPmBVnkAfN6I4VOBphW
Jx188kUytP3IBDyDU7yzh+IzbEgjgU6IVPdIVitcIgmwVAQvt1KVgloF4fF032mX
2XE85JehjpxpFlGzA29b0qgjqGNjKS5SZJOtBknNoXAD9tefO9U7elLGoDiVPlhi
03IDzNZU4k9bf1vXM48A3JmAxSOnVAjX2/zvpnuu/Jbzc3dAVQO+aF99tdw3Z53W
t1U9AcoMXM27yg4/0Ftpd21vKQdW3QP6RgPO6KZAbZfkJ7O30SE8qYpDFjqBlfJP
SQlerOWYNHs=
=/DQn
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.