Debian Bug report logs - #580434
su: dropping privileges before calling pam_close_session() does not play nice with libpam-mount or libpam-systemd

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Kevin Mitchell <kevmitch@math.sfu.ca>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libpam-mount: does not play nice with "su"

Date: Wed, 05 May 2010 16:55:45 -0700

Package: libpam-mount
Version: 2.0-1
Severity: normal


Using the new pam-auth-update method of enabling pam-mount as recommended by 
/usr/share/doc/libpam-mount/README.Debian.gz

pam_mount.so gets added to both
/etc/pam.d/common-auth and /etc/pam.d/common-session

This seems reasonable, however both of these are included in /etc/pam.d/su. 

Therefore, when su is used to login as a user for which
/etc/security/pam-mount.conf.xml does not specify any action:

$ su guest -l
Password: 
guest@homunculus:~$ exit
logout
pam_mount(spawn.c:101): error setting uid to 0
pmvarrun(pmvarrun.c:453): could not unlink /var/run/pam_mount/guest: Permission denied
$ 

When su is used to login as a user for which a tmpfs volume should be mounted:

$ su kevmitch -l
Password: 
$ exit
logout
pam_mount(spawn.c:101): error setting uid to 0
$ 

Finally, it seems that the mkmountpoint feature also does not work
correctly when using su. When a su is used to login as a user for which a
tmpfs volume should be mounted on a directory that is nonexistent, but that that
user has the appropriate premissions to create:

$ su leila -l 
Password: 
leila@homunculus:~$ exit
logout
pam_mount(spawn.c:101): error setting uid to 0
pmvarrun(pmvarrun.c:453): could not unlink /var/run/pam_mount/leila: Permission denied
pam_mount(spawn.c:101): error setting uid to 0
pam_mount(mount.c:64): umount messages:
pam_mount(mount.c:68): umount: /home/leila/tmp is not in the fstab (and you are not root)
pam_mount(mount.c:705): unmount of none failed
$ 

This of course is not to mention the unavoidable problem that there will be
a password prompt when using su as root:

$ sudo su kevmitch -l
reenter password for pam_mount:
$ exit
logout
pam_mount(spawn.c:101): error setting uid to 0
$ 

It would seem prudent to do either or both of the following:
1) Somehow disable pam-mount from getting included in /etc/pam.d/su by default
2) Make pam-mount more su-aware if possible

Kevin

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (600, 'unstable'), (500, 'testing'), (400, 'stable'), (300, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.33.2003 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1) (ignored: LC_ALL set to en_GB)
Shell: /bin/sh linked to /bin/dash

Versions of packages libpam-mount depends on:
ii  libc6                       2.10.2-7     Embedded GNU C Library: Shared lib
ii  libcryptsetup1              2:1.1.0-2.1  libcryptsetup shared library
ii  libhx22                     3.4-1        A library providing queue, tree, I
ii  libpam-runtime              1.1.1-3      Runtime support for the PAM librar
ii  libpam0g                    1.1.1-3      Pluggable Authentication Modules l
ii  libssl0.9.8                 0.9.8n-1     SSL shared libraries
ii  libxml2                     2.7.7.dfsg-2 GNOME XML library
ii  mount                       2.16.2-0     Tools for mounting and manipulatin

libpam-mount recommends no packages.

Versions of packages libpam-mount suggests:
pn  davfs2                     <none>        (no description available)
ii  fuse-utils                 2.8.1-1.2     Filesystem in USErspace (utilities
ii  lsof                       4.81.dfsg.1-1 List open files
pn  ncpfs                      <none>        (no description available)
ii  openssl                    0.9.8n-1      Secure Socket Layer (SSL) binary a
ii  psmisc                     22.11-1       utilities that use the proc file s
ii  smbfs                      2:4.1-1       Common Internet File System utilit
ii  sshfs                      2.2-1         filesystem client based on SSH Fil
pn  tc-utils                   <none>        (no description available)
ii  xfsprogs                   3.1.1         Utilities for managing the XFS fil

-- Configuration Files:
/etc/security/pam_mount.conf.xml changed:
<?xml version="1.0" encoding="utf-8" ?>
<!DOCTYPE pam_mount SYSTEM "pam_mount.conf.xml.dtd">
<!--
        See pam_mount.conf(5) for a description.
-->

<pam_mount>

                <!-- debug should come before everything else,
                since this file is still processed in a single pass
                from top-to-bottom -->

<debug enable="0" />
<volume sgrp="tmpfs" fstype="tmpfs" path="none" mountpoint="~/tmp"
        options="size=2G,uid=%(USER),mode=0700" fskeyhash="md5"/> 

                <!-- Volume definitions -->


                <!-- pam_mount parameters: General tunables -->

<!--
<luserconf name=".pam_mount.conf.xml" />
-->

<!-- Note that commenting out mntoptions will give you the defaults.
     You will need to explicitly initialize it with the empty string
     to reset the defaults to nothing. -->
<mntoptions allow="nosuid,nodev,loop,encryption,fsck,nonempty,allow_root,allow_other" />
<!--
<mntoptions deny="suid,dev" />
<mntoptions allow="*" />
<mntoptions deny="*" />
-->
<mntoptions require="nosuid,nodev" />
<path>/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin</path>

<logout wait="0" hup="0" term="0" kill="0" />


                <!-- pam_mount parameters: Volume-related -->

<mkmountpoint enable="1" remove="true" />


</pam_mount>


-- no debconf information

Message #16 received at 580434@bugs.debian.org (full text, mbox, reply):

From: Bastian Kleineidam <calvin@debian.org>

To: 580434@bugs.debian.org

Subject: su: dropping privileges before calling pam_close_session() does not play nice with libpam-mount

Date: Tue, 11 May 2010 00:13:45 +0200

[Message part 1 (text/plain, inline)]

Hi,

the title says it all: the "su" program drops privileges and calls
pam_close_session() without root permissions. This causes bogus
errors in other the pam mould libpam-mount (which needs the permissions
to unmount volumes).

This seems a duplicate of the archived bug #195048, but this bug is rather 
old. So I am not reopening, or merging those two.

Regards,
  Bastian

[signature.asc (application/pgp-signature, inline)]

Message #23 received at 580434@bugs.debian.org (full text, mbox, reply):

From: Michael Biebl <biebl@debian.org>

To: 580434@bugs.debian.org

Cc: control@bugs.debian.org, Tollef Fog Heen <tfheen@err.no>, Kevin Mitchell <kevmitch@math.sfu.ca>

Subject: libpam-systemd affected too

Date: Mon, 27 Dec 2010 21:06:40 +0100

[Message part 1 (text/plain, inline)]

block 599731 by 580434
tags 580434 patch
user systemd@packages.debian.org
usertag login
thanks


Hi,

just wanted to add, that libpam-systemd is affected [1] by this issue, too.

There is a proposed patch [2] in the Gentoo bug tracker at [3].


Cheers,
Michael

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599731
[2] http://bugs.gentoo.org/attachment.cgi?id=255455
[3] http://bugs.gentoo.org/346813

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Message #36 received at 580434@bugs.debian.org (full text, mbox, reply):

From: Tollef Fog Heen <tfheen@err.no>

To: 580434@bugs.debian.org

Subject: Status?

Date: Tue, 11 Oct 2011 20:38:52 +0200

Hiya,

this bug was tagged pending some months ago, is the upload going to
happen soonish? :-)

Cheers,
-- 
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are

Message #41 received at 580434-close@bugs.debian.org (full text, mbox, reply):

From: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>

To: 580434-close@bugs.debian.org

Subject: Bug#580434: fixed in shadow 1:4.1.5-1

Date: Sun, 12 Feb 2012 23:34:18 +0000

Source: shadow
Source-Version: 1:4.1.5-1

We believe that the bug you reported is fixed in the latest version of
shadow, which is due to be installed in the Debian FTP archive:

login_4.1.5-1_i386.deb
  to main/s/shadow/login_4.1.5-1_i386.deb
passwd_4.1.5-1_i386.deb
  to main/s/shadow/passwd_4.1.5-1_i386.deb
shadow_4.1.5-1.diff.gz
  to main/s/shadow/shadow_4.1.5-1.diff.gz
shadow_4.1.5-1.dsc
  to main/s/shadow/shadow_4.1.5-1.dsc
shadow_4.1.5.orig.tar.gz
  to main/s/shadow/shadow_4.1.5.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 580434@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net> (supplier of updated shadow package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 12 Feb 2012 22:27:03 +0100
Source: shadow
Binary: passwd login
Architecture: source i386
Version: 1:4.1.5-1
Distribution: unstable
Urgency: low
Maintainer: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Changed-By: Nicolas FRANCOIS (Nekral) <nicolas.francois@centraliens.net>
Description: 
 login      - system login tools
 passwd     - change and administer password and group data
Closes: 544184 580434 584868 597661 602264 603315 605329 606159 609117 614321 616167 617295 620930 620978 621126 621330 621810 622106 622765 622834 622908 623608 623722 627526 628776 628777 628843 630250 630618 632461 634465 636047 647308 647469 655194 655858 656503 656686 657010 657514 657516 657621 657622 657710 657717
Changes: 
 shadow (1:4.1.5-1) unstable; urgency=low
 .
   * The "Charolais" release.
 .
   [ Nicolas FRANCOIS (Nekral) ]
   * New upstream release:
     - su: Fix possible tty hijacking by dropping the controlling terminal when
       executing a command (CVE-2005-4890). Closes: #628843
     - userdel: Check the existence of the user's mail spool before trying to
       remove it. If it does not exist, a warning is issued, but no failure.
       Closes: #617295
     - userdel: Do not remove a group with the same name as the user
       (usergroup) if this group isn't the user's primary group.
       Closes: #584868
     - su: Close the PAM session as root (fix issues with pam_mount and
       pam_systemd). Closes: #580434
     - Fix several typos in manpages. Thanks to Simon Brandmair.
       Closes: #628776
     - userdel error message has been clarified when the user is still
       executing processes (it used to complain that the user is logged in).
       Closes: #603315
     - passwd(1) references chpasswd(8). Closes: #609117
     - Spaces have been added between options and arguments in the Russian
       manpages. Closes: #606159
     - Fix handling of numerical dates in usermod -e. Closes: #621810
     - usermod: When the shadow file exists but there are no shadow entries, an
       entry is created if the password is changed and passwd requires a shadow
       entry, or if aging features are used (-e or -f). Closes: 632461
     - Added diagnosis for lock failures. Closes: #616167
     - grpck/pwck: NIS entries were dropped by -s (sort). Closes: #622765
     - login does not log into utmp(x) and wtmp. This is already done by
       pam_lastlog. Closes: #605329
     - groupmod: document that /etc/passwd can be modified by groupmod -g.
       Closes: #647308
     - Updated patches
       + debian/patches/008_login_log_failure_in_FTMP
       + debian/patches/401_cppw_src.dpatch
       + debian/patches/402_cppw_selinux
       + debian/patches/428_grpck_add_prune_option
       + debian/patches/429_login_FAILLOG_ENAB
       + debian/patches/463_login_delay_obeys_to_PAM
       + debian/patches/501_commonio_group_shadow
       + debian/patches/505_useradd_recommend_adduser
       + debian/patches/506_relaxed_usernames
       + debian/patches/508_nologin_in_usr_sbin
       + debian/patches/523_su_arguments_are_concatenated
       + debian/patches/523_su_arguments_are_no_more_concatenated_by_default
       + debian/patches/542_useradd-O_option
       + debian/patches/900_testsuite_groupmems
     - debian/patches/008_su_get_PAM_username: Removed, feature supported
       upstream.
     - debian/patches/300_CVE-2011-0721: Removed, applied upstream.
     - Upstream translation updates from Debian BTS:
       + Brazilian Portuguese. Closes: #622834
       + Catalan. Closes: #627526
       + Danish. Closes: #621330, #657514
       + German. Closes: #622908, #656503
       + French. Closes: #623608, #657621
       + Japanese. Closes: #620978
       + Kazakh. Closes: #620930
       + Portuguese. Closes: #623722, #656686
       + Russian. Closes: #622106, #655194
       + Spanish (Closes: #630618)
       + Swedish. Closes: #621126
       + Simplified Chinese. Closes: #655858
     - Upstream manpages translation updates from Debian BTS:
       + French. Closes: #630250, #657622
       + German. Closes: #628777
       + Simplified Chinese. Closes: #602264, #655858
       + Danish added. Closes: #657516
       + Russian. Closes: #657710
   * debian/control: mark passwd as 'Multi-Arch: foreign'. Closes: #614321
   * debian/securetty.linux: Add IBM pSeries console ports. Closes: #597661
   * debian/securetty.linux: Add serial Console for MIPS Swarm.
     (http://lists.debian.org/debian-release/2011/02/msg00320.html)
   * debian/securetty.linux: Add s390/s390x ports ttysclp0. Closes: #647469
   * debian/securetty.linux: Fixed typo: ttyama -> ttyAMA. Closes: #544184
   * debian/rules, debian/man.insert, debian/man.insert.sed: Bug #507673 has
     been closed. It is no more needed to patch the generated manpages. This
     also fix failures to build twice is a row. Closes: #636047
   * debian/patches/401_cppw_src.dpatch: Replace progname by Prog. Rename
     create_backup_file to create_copy. The lock functions do not set errno.
     Do not report the error string on cppwexit.
   * debian/patches/401_cppw_src.dpatch, debian/patches/402_cppw_selinux:
     Synchronize with coding style.
   * debian/patches/401_cppw_src.dpatch: Detect as well too many and too
     few arguments.
   * debian/patches/506_relaxed_usernames: Really check if the user/group
     name starts with a dash. Also forbid names starting with '+' or '~'.
     Document the naming policy in useradd.8 / groupadd.8.
   * debian/patches/506_relaxed_usernames: Also forbid names containing a
     comma.
   * debian/patches/901_testsuite_gcov: Do not revert the locale when testing
     with gcov to avoid coverage false negatives. This does not impact the
     debian binary package, only the test package.
   * debian/control: Add Build-Depends on libsemanage1-dev [linux-any]
   * debian/rules: Do not hard-code CFLAGS and LDFLAGS. Build with all
     hardening flags set. Closes: #657010
   * debian/control: depends on dpkg-dev (>= 1.16.1~) for including
     /usr/share/dpkg/buildflags.mk
   * debian/control: Standards-Version: bumped to 3.9.2. No changes.
   * debian/login.defs: Set the default encryption method to SHA512.
     Closes: #657717
 .
   [ Christian Perrier ]
   * Use "linux-any" instead of a negated list of architectures in
     Build-Depends. Closes: #634465
Checksums-Sha1: 
 20e1b380f87ab47b1dc4df181e0d5bccaa1351bf 1571 shadow_4.1.5-1.dsc
 57aa71b24378e3e549a5424ff7dc717d92ca266e 3426609 shadow_4.1.5.orig.tar.gz
 2f900ce1e275133fd440e4190aa41ff8cee4d086 80614 shadow_4.1.5-1.diff.gz
 06fe5fc7c55a199b178dd1122a393741dfb1f5ad 1269570 passwd_4.1.5-1_i386.deb
 1b0d5f4693d151ab94a9cbd56677440c2cd7d7b4 982270 login_4.1.5-1_i386.deb
Checksums-Sha256: 
 a82f4432ec52aa6c163a4093db27f315dc36656863508fa5ac1598948ece7c3d 1571 shadow_4.1.5-1.dsc
 11decbb65bc35aacd27b27f2e8c56eec0047dab056ebbaf5d07e55c42fcf63d1 3426609 shadow_4.1.5.orig.tar.gz
 cd76ac895667fe8e8866b5adc3d5d84784950f53fd8926c348b72dda7ea6a3fc 80614 shadow_4.1.5-1.diff.gz
 cf489b966bb36c150aafe392bf179acac4652a5ae0a0cb5c6e5bdf4c31683950 1269570 passwd_4.1.5-1_i386.deb
 7aab48e006cc159c8b277879a5f2c3611bca78d00c01f9bf256d6a947e3a11a2 982270 login_4.1.5-1_i386.deb
Files: 
 7797ed0ee9acb4a6c5819a671f653299 1571 admin required shadow_4.1.5-1.dsc
 18a0142a9c22d5c85297358398e99b0c 3426609 admin required shadow_4.1.5.orig.tar.gz
 a42217dda63d7c92f9717036b37a9578 80614 admin required shadow_4.1.5-1.diff.gz
 84e72e93ea8fe69b74bf8dc028c13284 1269570 admin required passwd_4.1.5-1_i386.deb
 982b60b21762a0ce12e9bf983740b937 982270 admin required login_4.1.5-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk84OJsACgkQWgo5mup89a2V5ACeJNx7QyHEshAj/ycISL5FFw5y
0FoAn1r8naDGD7yfdU+TxVT70XeBwREA
=ncUx
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.