Debian Bug report logs - #388431
pam_limits.so incorrectly allows real-time scheduling to unprivileged users by default

version graph

Package: libpam-modules; Maintainer for libpam-modules is Steve Langasek <vorlon@debian.org>; Source for libpam-modules is src:pam.

Reported by: Ville Hallik <ville@linux.ee>

Date: Wed, 20 Sep 2006 11:48:12 UTC

Severity: critical

Tags: confirmed, patch, security

Found in version pam/0.79-3.2

Fixed in version pam/0.79-4

Done: Steve Langasek <vorlon@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#388431; Package libpam-modules. Full text and rfc822 format available.

Acknowledgement sent to Ville Hallik <ville@linux.ee>:
New Bug report received and forwarded. Copy sent to Sam Hartman <hartmans@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ville Hallik <ville@linux.ee>
To: submit@bugs.debian.org
Subject: pam_limits.so incorrectly allows real-time scheduling to unprivileged users by default
Date: Wed, 20 Sep 2006 14:31:42 +0300 (EEST)
Package: libpam-modules
Version: 0.79-3.2
Severity: critical

Module pam_limits.so blindly sets almost all available limits to 
the unlimited value, including RLIMIT_NICE and RLIMIT_RTPRIO that should 
be set to zero instead (this is also kernel's default). This gives all 
users unlimited access to the real-time scheduling which can be used to 
completely lock up the entire system. I discovered it accidentally when my 
laptop locked up when I was experimenting with ecasound and alsa plugins. 
This problem appeared right after upgrading from 0.79-3.1 to 0.79-3.2 but 
source change is not to blame --- building with newer libc6-dev package 
is likely the direct cause of this problem (because RLIMIT_NICE and 
RLIMIT_RTPRIO were probably not available when previous version of 
the libpam-modules were built). With libpam-modules_0.79-3.1 I have 
(/etc/security/limits.conf is not modified):

$ ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
max nice                        (-e) 0
file size               (blocks, -f) unlimited
pending signals                 (-i) unlimited
max locked memory       (kbytes, -l) unlimited
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) unlimited
max rt priority                 (-r) 0
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) unlimited
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

But after upgrading to libpam_modules-0.79-3.2 and logging out and in I 
get:

$ ulimit -a
core file size          (blocks, -c) 0
data seg size           (kbytes, -d) unlimited
max nice                        (-e) unlimited
file size               (blocks, -f) unlimited
pending signals                 (-i) unlimited
max locked memory       (kbytes, -l) unlimited
max memory size         (kbytes, -m) unlimited
open files                      (-n) 1024
pipe size            (512 bytes, -p) 8
POSIX message queues     (bytes, -q) unlimited
max rt priority                 (-r) unlimited
stack size              (kbytes, -s) 8192
cpu time               (seconds, -t) unlimited
max user processes              (-u) unlimited
virtual memory          (kbytes, -v) unlimited
file locks                      (-x) unlimited

-- 

Ville Hallik




Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#388431; Package libpam-modules. Full text and rfc822 format available.

Acknowledgement sent to Steve Langasek <vorlon@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. Full text and rfc822 format available.

Message #10 received at 388431@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: Ville Hallik <ville@linux.ee>, 388431@bugs.debian.org
Subject: Re: Bug#388431: pam_limits.so incorrectly allows real-time scheduling to unprivileged users by default
Date: Wed, 20 Sep 2006 20:10:59 -0700
tags 388431 confirmed
thanks

On Wed, Sep 20, 2006 at 02:31:42PM +0300, Ville Hallik wrote:

> Module pam_limits.so blindly sets almost all available limits to 
> the unlimited value, including RLIMIT_NICE and RLIMIT_RTPRIO that should 
> be set to zero instead (this is also kernel's default). This gives all 
> users unlimited access to the real-time scheduling which can be used to 
> completely lock up the entire system.

Confirmed, will investigate.

Patches welcome.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/



Tags added: confirmed Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#388431; Package libpam-modules. Full text and rfc822 format available.

Acknowledgement sent to Ville Hallik <ville@linux.ee>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>.

Your message did not contain a Subject field. They are recommended and useful because the title of a Bug is determined using this field. Please remember to include a Subject field in your messages in future.

Full text and rfc822 format available.


Message #17 received at 388431@bugs.debian.org (full text, mbox):

From: Ville Hallik <ville@linux.ee>
To: 388431@bugs.debian.org
Date: Thu, 21 Sep 2006 22:08:29 +0300 (EEST)
Ok, here is the patch. Comment inside the patch explains what it does:

diff -ru pam-0.79-3.2/Linux-PAM/modules/pam_limits/pam_limits.c pam-0.79-3.2.0vh/Linux-PAM/modules/pam_limits/pam_limits.c
--- pam-0.79-3.2/Linux-PAM/modules/pam_limits/pam_limits.c	2006-09-20 13:32:48.000000000 +0300
+++ pam-0.79-3.2.0vh/Linux-PAM/modules/pam_limits/pam_limits.c	2006-09-21 19:48:18.000000000 +0300
@@ -257,8 +257,38 @@
 	    pl->supported[i] = 1;
 	    pl->limits[i].src_soft = LIMITS_DEF_NONE;
 	    pl->limits[i].src_hard = LIMITS_DEF_NONE;
-	    pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
-	    pl->limits[i].limit.rlim_max = RLIM_INFINITY;
+	    switch (i) {
+		case RLIMIT_CPU:
+		case RLIMIT_FSIZE:
+		case RLIMIT_DATA:
+		case RLIMIT_STACK:
+		case RLIMIT_CORE:
+		case RLIMIT_RSS:
+		case RLIMIT_NPROC:
+		case RLIMIT_NOFILE:
+		case RLIMIT_MEMLOCK:
+#ifdef RLIMIT_AS
+		case RLIMIT_AS:
+#endif
+#ifdef RLIMIT_LOCKS
+		case RLIMIT_LOCKS:
+#endif
+#ifdef RLIMIT_SIGPENDING
+		case RLIMIT_SIGPENDING:
+#endif
+#ifdef RLIMIT_MSGQUEUE
+		case RLIMIT_MSGQUEUE:
+#endif
+		    pl->limits[i].limit.rlim_cur = RLIM_INFINITY;
+		    pl->limits[i].limit.rlim_max = RLIM_INFINITY;
+		    break;
+		default:
+		    /* Dont touch unknown/unsupported rlimit values ---
+		     * RLIM_INFINITY might be a bad choice for them and
+		     * even open up security holes (for example, the latter
+		     * is true for RLIM_RTPRIO in newer Linux kernels). */
+		    break;
+	    }
 	}
     }

-- 

Ville Hallik



Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#388431; Package libpam-modules. Full text and rfc822 format available.

Acknowledgement sent to varg@theor.jinr.ru (Sheplyakov Alexei):
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. Full text and rfc822 format available.

Message #22 received at 388431@bugs.debian.org (full text, mbox):

From: varg@theor.jinr.ru (Sheplyakov Alexei)
To: 388431@bugs.debian.org
Subject: improved patch
Date: Fri, 22 Sep 2006 22:33:45 +0400
[Message part 1 (text/plain, inline)]
Hello!

Here is an improved variant of patch. It allows system administrator
to configure RLIMIT_RTPRIO RLIMIT_NICE via "rt_priority" and "nice"
entries in /etc/security/limits.conf

Best regards,
 Alexei.

-- 
All science is either physics or stamp collecting.

[pam_limits_rtprio_nice_vargs.diff (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Tags added: patch Request was from Vincent Zweije <zweije@xs4all.nl> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#388431; Package libpam-modules. Full text and rfc822 format available.

Acknowledgement sent to Gaudenz Steinlin <gaudenz@debian.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. Full text and rfc822 format available.

Message #29 received at 388431@bugs.debian.org (full text, mbox):

From: Gaudenz Steinlin <gaudenz@debian.org>
To: 388431@bugs.debian.org
Cc: vorlon@debian.org
Subject: proposed patch works
Date: Sat, 7 Oct 2006 17:31:48 +0200
[Message part 1 (text/plain, inline)]
Hi

I tested the proposed patch for this bug and it seems to work. IMHO the
patch seems correct. 

I did not upload an NMU, because I was not sure why the patch was not
yet integrated into the SVN repository. If you don't oppose I can do an
NMU either with only the patch applied to the version currently in sid
or of the current SVN version.

Attached you can find an updated patch wich applies to the version in
SVN.

gaudenz

-- 
Ever tried. Ever failed. No matter.
Try again. Fail again. Fail better.
~ Samuel Beckett ~
[pam_limits_rtprio_nice.diff (text/plain, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Sam Hartman <hartmans@debian.org>:
Bug#388431; Package libpam-modules. Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <debian@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Sam Hartman <hartmans@debian.org>. Full text and rfc822 format available.

Message #34 received at 388431@bugs.debian.org (full text, mbox):

From: Holger Levsen <debian@layer-acht.org>
To: 388431@bugs.debian.org
Subject: patch works for me, too
Date: Sat, 14 Oct 2006 20:41:22 +0200
[Message part 1 (text/plain, inline)]
Hi,

I've tested the patch against sid (not svn) and can confirm that limiting 
"nice" and "rt_priority" via /etc/securitty/limits.conf now works as 
expected. Thanks Ville!


regards,
	Holger
[Message part 2 (application/pgp-signature, inline)]

Tags added: security Request was from Samuel Thibault <samuel.thibault@labri.fr> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from vorlon@users.alioth.debian.org to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: pending Request was from vorlon@users.alioth.debian.org to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Steve Langasek <vorlon@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Ville Hallik <ville@linux.ee>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #45 received at 388431-close@bugs.debian.org (full text, mbox):

From: Steve Langasek <vorlon@debian.org>
To: 388431-close@bugs.debian.org
Subject: Bug#388431: fixed in pam 0.79-4
Date: Mon, 23 Oct 2006 06:17:44 -0700
Source: pam
Source-Version: 0.79-4

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:

libpam-cracklib_0.79-4_i386.deb
  to pool/main/p/pam/libpam-cracklib_0.79-4_i386.deb
libpam-doc_0.79-4_all.deb
  to pool/main/p/pam/libpam-doc_0.79-4_all.deb
libpam-modules_0.79-4_i386.deb
  to pool/main/p/pam/libpam-modules_0.79-4_i386.deb
libpam-runtime_0.79-4_all.deb
  to pool/main/p/pam/libpam-runtime_0.79-4_all.deb
libpam0g-dev_0.79-4_i386.deb
  to pool/main/p/pam/libpam0g-dev_0.79-4_i386.deb
libpam0g_0.79-4_i386.deb
  to pool/main/p/pam/libpam0g_0.79-4_i386.deb
pam_0.79-4.diff.gz
  to pool/main/p/pam/pam_0.79-4.diff.gz
pam_0.79-4.dsc
  to pool/main/p/pam/pam_0.79-4.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 388431@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 23 Oct 2006 05:36:08 -0700
Source: pam
Binary: libpam0g-dev libpam0g libpam-modules libpam-doc libpam-runtime libpam-cracklib
Architecture: source i386 all
Version: 0.79-4
Distribution: unstable
Urgency: medium
Maintainer: Sam Hartman <hartmans@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 libpam-cracklib - PAM module to enable cracklib support
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 122400 149027 149883 241663 313542 313588 318452 327272 335273 344447 352329 360657 388431
Changes: 
 pam (0.79-4) unstable; urgency=medium
 .
   * Medium-urgency upload; at least one RC bugfix, but also a
     significant number of changes, hence not urgency=high.
   * Move libpam-modules and libpam0g to Section: libs and libpam-runtime
     to section: admin, to match the overrides in the archive.
   * Move old changelog entries (well, entry) that don't follow the current
     format to debian/changelog.old, since there's no way to figure out a
     timestamp for an 8-year-old upload, and this is the most effective
     way to clear a glut of lintian warnings.
   * Fix the formatting of the libpam-cracklib package description.
   * Patch 010: remove parts of the patch that aren't necessary for C++
     compatibility.
   * Patch 060: fix a segfault in pam_tally caused by misuse of
     pam_get_data(); already fixed upstream.  Closes: #335273.
   * Patch 061: fix a double free in pam_issue, caused by overuse (and misuse)
     of strdup (similar to patch 059).  Already fixed upstream.
     Closes: #327272.
   * Don't build-depend on libselinux1-dev and libcap-dev on kfreebsd archs.
     Closes: #352329.
   * Patch 005: sync pam_limits with upstream:
     - support "-" (unlimited) for all limit types except process priority.
     - support the additional aliases "-1", "unlimited", and "infinity" for
       clearing the limits; closes: #122400, #149027.
     - restrict the range of process priority, login count, and system login
       count settings to (INT_MIN,INT_MAX) (heh).
     - special-case RLIM_INFINITY when applying multipliers to values from
       the config.
     - document maxsyslogins in the default limits.conf; closes: #149883.
     - use the current process priority as a default instead of resetting to
       0; closes: #241663.
     - add support for (and document) new RLIMIT_NICE and RLIMIT_RTPRIO
       settings in Linux 2.6.12 and above; closes: #313542, #313588.
     - allow imposing limits on uid=0.
   * Patch 027: only set RLIM_INFINITY as the default for the limits where
     we know this is sensible, so that recompiling in an environment with new
     limits doesn't create a security hole -- as happened with RLIMIT_NICE and
     RLIMIT_RTPRIO!  Thanks to Ville Hallik for the initial patch.
     Closes: #388431.
   * Patch 029, 047: Fix up the broken pam_limits capabilities patch so it
     actually works -- which may well be a first...  Closes: #318452.
 .
 pam (0.79-3.2) unstable; urgency=low
 .
   * Non-maintainer upload to fix important bug, that makes passwd segfault
     when CTRL-D is pressed at the password prompt.  Applied the patch
     provided by Dann Frazier.  (Closes: #360657)
 .
 pam (0.79-3.1) unstable; urgency=low
 .
   * Non-maintainer upload.
   * Linux-PAM/libpamc/include/security/pam_client.h,
     Linux-PAM/libpamc/pamc_converse.c: Apply patch from
     latest upstream version to remove redefinition of internal
     glibc/libstdc++ types.  Closes: #344447.
Files: 
 bb83e935d98ee21122360cab326e204a 970 libs optional pam_0.79-4.dsc
 f1401efc74c136fb07652643d1b1a1cf 136866 libs optional pam_0.79-4.diff.gz
 0fb6ed72ff29cf455d62e8a8a8292338 64282 admin required libpam-runtime_0.79-4_all.deb
 004664714294d7a4a89954c5e9554d00 731984 doc optional libpam-doc_0.79-4_all.deb
 1ced26f43273eb1055384bd711fb1651 79676 libs required libpam0g_0.79-4_i386.deb
 f884fb9426c4f73c40c892ac343efc85 187500 libs required libpam-modules_0.79-4_i386.deb
 badc0696da385466937f22929a7a1bb1 117900 libdevel optional libpam0g-dev_0.79-4_i386.deb
 e28da4b5da863be36d965369e4828340 59530 libs optional libpam-cracklib_0.79-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFPLzSKN6ufymYLloRAurrAJ9qK9+NWBnnhGZbRwBJQBTbyMGMVwCbBml2
UPu1tc4FiTiEnO3989I4kcc=
=pfjG
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 02:59:03 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 14:38:45 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.