Debian Bug report logs -
#57526
su does not use PAM-session modules
Reported by: Andreas Metzler <ametzler@downhill.at.eu.org>
Date: Tue, 8 Feb 2000 23:27:18 UTC
Severity: normal
Found in version 19990827-16
Fixed in version shadow/19990827-17
Done: Ben Collins <bcollins@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to
debian-bugs-dist@lists.debian.org, Ben Collins <bcollins@debian.org>:
Bug#57526; Package
login.
Full text and
rfc822 format available.
Acknowledgement sent to
Andreas Metzler <ametzler@downhill.at.eu.org>:
New Bug report received and forwarded. Copy sent to
Ben Collins <bcollins@debian.org>.
Full text and
rfc822 format available.
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: login
Version: 19990827-16
su seems to ignore any PAM session-modules requested in /etc/pam.d/su,
e.g. pam_limits.so.
Perhaps it is a linking-problem?
ametzler@downhill:> grep session /bin/login /bin/su /usr/sbin/sshd
Binary file /bin/login matches
Binary file /usr/sbin/sshd matches
----/etc/pam.d/su---
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
session required pam_limits.so debug
--------------------
-----Syslog while executing "su - ametzler" as ametzler and logging out
again-------------------------------
Feb 4 14:15:42 downhill su[1679]: + ttyp4 ametzler-ametzler
------------------------------------------
Whereas other PAM-aware aplications, e.g. ssh produce:
-----Syslog while executing "ssh localhost" as ametzler --------
Feb 4 14:17:24 downhill sshd[1694]: Accepted password for ametzler
from 127.0.0.1 port 1023
Feb 4 14:17:24 downhill PAM_unix[1694]: (sshd) session opened for
user ametzler by (uid=0)
Feb 4 14:17:24 downhill pam_limits[1694]: reading settings from
'/etc/security/limits.conf'
Feb 4 14:17:24 downhill pam_limits[1694]: process_limit:
processing(2) soft core
[snip]
------------------------------------------
----/etc/pam.d/ssh------------------------
auth required pam_nologin.so
auth required pam_unix.so
auth required pam_env.so # [1]
account required pam_unix.so
session required pam_unix.so
session optional pam_lastlog.so # [1]
session optional pam_motd.so # [1]
session optional pam_mail.so standard # [1]
password required pam_unix.so shadow md5 nullok
session required pam_limits.so debug
-----------------------------------------
Infos about my system:
Frozen potato
Kernel 2.2.14
libpam0g 0.72-3
libpam-runtime 0.72-3
libpam-modules 0.72-3
libc6 2.1.2-12
cu andreas
--
Andreas Metzler, Wien |
ametzler@mat.univie.ac.at |
Information forwarded to
debian-bugs-dist@lists.debian.org, Ben Collins <bcollins@debian.org>:
Bug#57526; Package
login.
Full text and
rfc822 format available.
Acknowledgement sent to
Topi Miettinen <Topi.Miettinen@nic.fi>:
Extra info received and forwarded to list. Copy sent to
Ben Collins <bcollins@debian.org>.
Full text and
rfc822 format available.
Message #10 received at 57526@bugs.debian.org (full text, mbox, reply):
In fact, this bug is caused by su not calling pam_open_session(). This quick
hack fixes the problem, but may cause others by not adding corresponding
pam_close_session() calls.
-Topi
diff -ru shadow-19990827/src/su.c.orig shadow-19990827/src/su.c
--- shadow-19990827/src/su.c.orig Sun Feb 13 19:18:44 2000
+++ shadow-19990827/src/su.c Sun Feb 13 19:28:20 2000
@@ -656,6 +656,14 @@
exit(1);
}
+ ret = pam_open_session(pamh, 0);
+ if (ret != PAM_SUCCESS) {
+ SYSLOG((LOG_ERR, "pam_open_session: %s\n", PAM_STRERROR(pamh, ret)));
+ fprintf(stderr, "%s: %s\n", Prog, PAM_STRERROR(pamh, ret));
+ pam_end(pamh, ret);
+ exit(1);
+ }
+
/* become the new user */
if (change_uid(&pwent)) {
pam_setcred(pamh, PAM_DELETE_CRED);
Information forwarded to
debian-bugs-dist@lists.debian.org:
Bug#57526; Package
login.
Full text and
rfc822 format available.
Acknowledgement sent to
Ben Collins <bcollins@debian.org>:
Extra info received and forwarded to list.
Full text and
rfc822 format available.
Message #15 received at 57526@bugs.debian.org (full text, mbox, reply):
On Sun, Feb 13, 2000 at 08:08:18PM +0200, Topi Miettinen wrote:
> In fact, this bug is caused by su not calling pam_open_session(). This quick
> hack fixes the problem, but may cause others by not adding corresponding
> pam_close_session() calls.
Yeah, it is a security risk not to group pam_open_session() calls with a
corresponding pam_close_session() call. Example would be using pam_krb5
modules, which would leave the credentials laying around after su closes.
This has to be done with with an appropriate fork() call so that su stays
around after the session closes. I am not going to have this in potato,
simply because it is tool close to release to change the behavior this
much. It will be implemented for woody after potato releases. The reason I
have done nothing with it so far is because I am concentrating on potato
right now, and I wont do any work on woody until potato is out the door.
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bmc@visi.net '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
Information forwarded to
debian-bugs-dist@lists.debian.org, Ben Collins <bcollins@debian.org>:
Bug#57526; Package
login.
Full text and
rfc822 format available.
Acknowledgement sent to
Topi Miettinen <tom@pluto.nic.fi>:
Extra info received and forwarded to list. Copy sent to
Ben Collins <bcollins@debian.org>.
Full text and
rfc822 format available.
Message #20 received at 57526@bugs.debian.org (full text, mbox, reply):
Is this patch better? Mostly copy & paste from login.c.
-Topi
diff -ru ./shadow-19990827/src/su.c.orig ./shadow-19990827/src/su.c
--- ./shadow-19990827/src/su.c.orig Thu Feb 17 22:12:34 2000
+++ ./shadow-19990827/src/su.c Tue Feb 22 20:48:10 2000
@@ -656,15 +656,54 @@
exit(1);
}
+ ret = pam_open_session(pamh, 0);
+ if (ret != PAM_SUCCESS) {
+ SYSLOG((LOG_ERR, "pam_open_session: %s\n", PAM_STRERROR(pamh, ret)));
+ fprintf(stderr, "%s: %s\n", Prog, PAM_STRERROR(pamh, ret));
+ pam_setcred(pamh, PAM_DELETE_CRED);
+ pam_end(pamh, ret);
+ exit(1);
+ }
+ /* We must fork before setuid() because we need to call
+ * pam_close_session() as root.
+ */
+
+ /* We let the admin configure whether they need to keep login
+ around to close sessions */
+ if (getdef_bool("CLOSE_SESSIONS")) {
+ pid_t pid;
+ int status;
+
+ signal(SIGINT, SIG_IGN);
+ pid = fork();
+
+ switch(pid) {
+ case -1:
+ SYSLOG((LOG_ERR, "su: fork failure: %m"));
+ perror("su: fork failure");
+ pam_setcred(pamh, PAM_DELETE_CRED);
+ pam_close_session(pamh, 0);
+ pam_end(pamh, PAM_ABORT);
+ exit(1);
+ case 0: /* child */
+ signal(SIGINT, SIG_DFL);
+ break;
+ default: /* parent */
+ waitpid(pid, &status, 0);
+ /* now we are done using PAM */
+ pam_setcred(pamh, PAM_DELETE_CRED);
+ ret = pam_close_session(pamh, 0);
+ pam_end(pamh, ret);
+ exit(WEXITSTATUS(status));
+ }
+ }
/* become the new user */
if (change_uid(&pwent)) {
+ pam_close_session(pamh, 0);
pam_setcred(pamh, PAM_DELETE_CRED);
pam_end(pamh, PAM_ABORT);
exit(1);
}
-
- /* now we are done using PAM */
- pam_end(pamh, PAM_SUCCESS);
#else /* !USE_PAM */
if (!amroot) /* no limits if su from root */
Information forwarded to
debian-bugs-dist@lists.debian.org:
Bug#57526; Package
login.
Full text and
rfc822 format available.
Acknowledgement sent to
Ben Collins <bcollins@debian.org>:
Extra info received and forwarded to list.
Full text and
rfc822 format available.
Message #25 received at 57526@bugs.debian.org (full text, mbox, reply):
On Tue, Feb 22, 2000 at 09:10:12PM +0200, Topi Miettinen wrote:
> Is this patch better? Mostly copy & paste from login.c.
>
Yes, thanks.
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bmc@visi.net '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
Reply sent to
Ben Collins <bcollins@debian.org>:
You have taken responsibility.
Full text and
rfc822 format available.
Notification sent to
Andreas Metzler <ametzler@downhill.at.eu.org>:
Bug acknowledged by developer.
Full text and
rfc822 format available.
Message #30 received at 57526-close@bugs.debian.org (full text, mbox, reply):
We believe that the bug you reported is fixed in the latest version of
shadow, which has been installed in the Debian FTP archive:
login_19990827-17_sparc.deb
to dists/woody/main/binary-sparc/base/login_19990827-17.deb
replacing login_19990827-16.deb
passwd_19990827-17_sparc.deb
to dists/woody/main/binary-sparc/base/passwd_19990827-17.deb
replacing passwd_19990827-16.deb
shadow_19990827-17.diff.gz
to dists/woody/main/source/base/shadow_19990827-17.diff.gz
replacing shadow_19990827-16.diff.gz
shadow_19990827-17.dsc
to dists/woody/main/source/base/shadow_19990827-17.dsc
replacing shadow_19990827-16.dsc
Note that this package is not part of the released stable Debian
distribution. It may have dependencies on other unreleased software,
or other instabilities. Please take care if you wish to install it.
The update will eventually make its way into the next released Debian
distribution.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 57526@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ben Collins <bcollins@debian.org> (supplier of updated shadow package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.6
Date: Mon, 28 Feb 2000 12:37:22 -0500
Source: shadow
Binary: login passwd
Architecture: source sparc
Version: 19990827-17
Distribution: unstable
Urgency: low
Maintainer: Ben Collins <bcollins@debian.org>
Description:
login - System login tools
passwd - Change and administer password and group data.
Closes: 53702 54768 54877 54900 55873 57526 57532 58203
Changes:
shadow (19990827-17) unstable; urgency=low
.
* Fixed typo in login.defs, closes: #54877
* logoutd.init.d: Check for /etc/security/time.conf, closes: #54900
* login.defs: Added note about the MAIL env option, closes: #54768
* login.pam.d,passwd.pam.d: Use new options in pam_unix.so to enable
obsure password checks. This mimics the old behavior in pre-PAM
shadow, closes: #58203
* Use patch from Topi Miettinen <tom@pluto.nic.fi> to add pam session
ability to su, closes: #57526, #55873, #57532
* Made login's -f option also able to use the username after -- if none
was passed as it's optarg, closes: #53702
Files:
3a458acf6a310c12b31ad5394f7c483c 584 base required shadow_19990827-17.dsc
ead9a314f6b3c65c574b01710d9f512f 43611 base required shadow_19990827-17.diff.gz
56b40b295fac4d2c582cd5e185864853 300530 base required passwd_19990827-17_sparc.deb
ed9a86ea55d241eb2b8844b436174b2a 119642 base required login_19990827-17_sparc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: Some people are fools, some are just foolish
iD8DBQE4usjzfNc/ZB4E7C0RAkVqAKCc3NG7GcYPCv7/D3AvlEY/9y1/fgCgltut
BEFoPdytU26Rp/38wcgtwv4=
=9LmG
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Nov 2 17:46:43 2015;
Machine Name:
buxtehude
Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.