Debian Bug report logs - #446327
pam_tally audit option locks out root

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Corey Wright <undefined@pobox.com>

To: submit@bugs.debian.org

Subject: pam_tally audit option locks out root

Date: Fri, 12 Oct 2007 00:25:43 -0500

[Message part 1 (text/plain, inline)]

Package: libpam-modules
Version: 0.79-4
Severity: important
Tags: patch

this problem was detected on fedora 7, debugged & patched on debian etch,
and reported from lenny/testing, but the problem is applicable to all
distributions as the problem exists in the latest upstream version
(Linux-PAM 0.99.9.0).  please relay this to upstream.

if a user specifies the "audit" option, then it also triggers the
"even_deny_root_account" option.  why?  the audit option is defined as
decimal 100, not octal 100, which evaluates to true when bit-wise and-ed
with even_deny_root (and no_reset).

attached patch corrects the simple oversight.

i was tempted to gives this a severity of "serious" because i can see some
unfortunate user getting locked out of their host at a remote data center
because all available accounts, including root, are denied login due to a
brute force attack.

but the severity should be irrelevant and a newly updated package pushed
out to all debian versions rather quickly as the problem is easy solved
with the attached patch, right? :-D

corey
-- 
undefined@pobox.com

[pam_tally.c_octal_audit_opt.patch (text/x-diff, attachment)]

Message #12 received at 446327-close@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 446327-close@bugs.debian.org

Subject: Bug#446327: fixed in pam 0.99.7.1-6

Date: Sun, 16 Mar 2008 09:32:06 +0000

Source: pam
Source-Version: 0.99.7.1-6

We believe that the bug you reported is fixed in the latest version of
pam, which is due to be installed in the Debian FTP archive:

libpam-cracklib_0.99.7.1-6_amd64.deb
  to pool/main/p/pam/libpam-cracklib_0.99.7.1-6_amd64.deb
libpam-doc_0.99.7.1-6_all.deb
  to pool/main/p/pam/libpam-doc_0.99.7.1-6_all.deb
libpam-modules_0.99.7.1-6_amd64.deb
  to pool/main/p/pam/libpam-modules_0.99.7.1-6_amd64.deb
libpam-runtime_0.99.7.1-6_all.deb
  to pool/main/p/pam/libpam-runtime_0.99.7.1-6_all.deb
libpam0g-dev_0.99.7.1-6_amd64.deb
  to pool/main/p/pam/libpam0g-dev_0.99.7.1-6_amd64.deb
libpam0g_0.99.7.1-6_amd64.deb
  to pool/main/p/pam/libpam0g_0.99.7.1-6_amd64.deb
pam_0.99.7.1-6.diff.gz
  to pool/main/p/pam/pam_0.99.7.1-6.diff.gz
pam_0.99.7.1-6.dsc
  to pool/main/p/pam/pam_0.99.7.1-6.dsc



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 446327@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated pam package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 16 Mar 2008 02:06:28 -0700
Source: pam
Binary: libpam0g libpam-modules libpam-runtime libpam0g-dev libpam-cracklib libpam-doc
Architecture: source all amd64
Version: 0.99.7.1-6
Distribution: unstable
Urgency: low
Maintainer: Steve Langasek <vorlon@debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 libpam-cracklib - PAM module to enable cracklib support
 libpam-doc - Documentation of PAM
 libpam-modules - Pluggable Authentication Modules for PAM
 libpam-runtime - Runtime support for the PAM library
 libpam0g   - Pluggable Authentication Modules library
 libpam0g-dev - Development files for PAM
Closes: 444437 444479 444566 444758 445022 445869 446327 446584 448930 457042 457674 458264
Changes: 
 pam (0.99.7.1-6) unstable; urgency=low
 .
   * Debconf translations:
     - Updated Vietnamese, thanks to Clytie Siddall <clytie@riverland.net.au>
       (closes: #444437)
     - Updated Spanish, thanks to Javier Fernández-Sanguino Peña
       <jfs@debian.org> (closes: #444479)
     - Updated German, thanks to Sven Joachim <svenjoac@gmx.de>
       (closes: #444566)
     - Galician, thanks to Jacobo Tarrio <jtarrio@trasno.net> (closes: #444758)
     - Updated Czech, thanks to Miroslav Kure <kurem@upcase.inf.upol.cz>
       (closes: #445022)
     - French, thanks to Cyril Brulebois <cyril.brulebois@enst-bretagne.fr>
       (closes: #445869)
     - Japanese, thanks to Kenshi Muto <kmuto@debian.org> (closes: #446584)
     - Dutch, thanks to Bart Cornelis <cobaco@skolelinux.no> (closes: #448930)
     - Basque, thanks to Piarres Beobide <pi@beobide.net> (closes: #457042)
     - Updated Finnish, thanks to Esko Arajärvi <edu@iki.fi> (closes: #458264)
     - Swedish, thanks to Christer Andersson <klamm@comhem.se>
       (closes: #457674)
   * Make sure the "audit" option is specified in octal instead of in decimal,
     so that it doesn't randomly set other options.  Thanks to Corey Wright
     <undefined@pobox.com> for the catch.  Closes: #446327.
Files: 
 8e9c1818f3a6cce0a5d6461a489946fd 1091 libs optional pam_0.99.7.1-6.dsc
 ad6a3c26ea088a6c6e91e55b900b4922 120938 libs optional pam_0.99.7.1-6.diff.gz
 d6ab315f2a0652399f03bec21896063f 99366 admin required libpam-runtime_0.99.7.1-6_all.deb
 207602c992d1cb1d5a1f9a4537f41c9e 267474 doc optional libpam-doc_0.99.7.1-6_all.deb
 094bd4f22b33da888b9faa0bf3e774c4 89620 libs required libpam0g_0.99.7.1-6_amd64.deb
 3ec96248d5b2f2f1ef2b385ea0be3b68 262392 libs required libpam-modules_0.99.7.1-6_amd64.deb
 107dfb0f572df785c25d5d8e8e2c3df5 145134 libdevel optional libpam0g-dev_0.99.7.1-6_amd64.deb
 4cffc8e548d2e3a4fd650f888e6b4002 50870 libs optional libpam-cracklib_0.99.7.1-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH3OX1KN6ufymYLloRAsnbAKCw8qa8m9ZUSG9OkLknumTR9a7zowCfTfm/
X7SFOmw5OpP3i4agGhUurZ0=
=aLSJ
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.