NetBSD Problem Report #38276

From duck@shangtai.net  Sat Mar 22 13:08:00 2008
Return-Path: <duck@shangtai.net>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by narn.NetBSD.org (Postfix) with ESMTP id 9AFE363B863
	for <gnats-bugs@gnats.NetBSD.org>; Sat, 22 Mar 2008 13:08:00 +0000 (UTC)
Message-Id: <20080322130754.463F12D4D6@knightrider.shangtai.net>
Date: Sat, 22 Mar 2008 15:07:54 +0200 (EET)
From: duck@multi.fi
Reply-To: duck@multi.fi
To: gnats-bugs@gnats.NetBSD.org
Subject: openpam treats sufficient as optional in "prelim" phase making pam_ldap fail
X-Send-Pr-Version: 3.95

>Number:         38276
>Category:       security
>Synopsis:       openpam treats sufficient as optional in "prelim" phase making pam_ldap fail
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    security-officer
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Mar 22 13:10:00 +0000 2008
>Last-Modified:  Wed May 28 11:50:01 +0000 2008
>Originator:     duck@multi.fi
>Release:        NetBSD 3.1_STABLE
>Organization:
>Environment:
System: NetBSD knightrider.shangtai.net 3.1_STABLE NetBSD 3.1_STABLE (KITT) #0: Sat Mar 17 11:09:56 EET 2007 root@knightrider.shangtai.net:/usr/obj/sys/arch/alpha/compile.alpha/KITT alpha
Architecture: alpha
Machine: alpha
>Description:

I bumped into a problem previously seen by Edgar Fuss <ef@math.uni-bonn.de>
in 2007 where pam treats "sufficient" configurations as "optional" in the
"prelim" phase. This makes it impossible to change passwords in the ldap
database via passwd(1) using pam_ldap because as the ldap module is treated
as optional, the preliminary test is not stopped but continues to pam_unix or
whatever other module follows, failing the attempt.
Also note that the prelim check is not invoked if the caller is root.

See Edgar's original message: http://mail-index.netbsd.org/tech-userlevel/2007/08/25/0006.html

>How-To-Repeat:

pam_ldap will fail with the following configuration setting:

password	sufficient	pam_ldap.so
password	required	pam_unix.so

or

password	sufficient	pam_ldap.so
password	sufficient	pam_unix.so
password	required	pam_deny.so

both of which I understand work on linux.

>Fix:

A patch to pam_deny fixes the issue
http://mail-index.netbsd.org/tech-userlevel/2007/08/29/0001.html

>Audit-Trail:
From: Petr Padrta <padrta@chemi.muni.cz>
To: gnats-bugs@NetBSD.org
Cc: Edgar Fuss <ef@math.uni-bonn.de>
Subject: Re: security/38276
Date: Wed, 28 May 2008 12:41:34 +0200

 I'd just like to note that the patch works (after the "prelim_ignore" flag is
 appended to pam_deny module) but it also causes unfortunate side effect. If
 you have root account in /etc/passwd and do from any other account "passwd
 root" it will allow you to change root password without knowledge of the old
 password!! At least it does so on my NetBSD/i386 3.1 box. From the analysis of
 OpenPAM sources and the patch it seems that it is exploitable for all
 local users but I'm no (Open)PAM expert so maybe I'm missing something. BTW, I
 wasn't able to get rid of the problem with any combination of try_first_pass,
 use_first_pass and other flags which I tried (out of desperation).

 I don't have time/knowledge to mess with OpenPAM internals so for the time
 being I've just commented out both pam_unix and pam_deny and changed pam_ldap
 to required. Now I change my ldap passwords with "passwd" and local passwords
 with "passwd -l".

 ----------------------------------------------------------------------

    						 Petr Padrta
 						padrta@chemi.muni.cz

NetBSD Home
NetBSD PR Database Search

(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.