NetBSD Problem Report #38276
From duck@shangtai.net Sat Mar 22 13:08:00 2008
Return-Path: <duck@shangtai.net>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by narn.NetBSD.org (Postfix) with ESMTP id 9AFE363B863
for <gnats-bugs@gnats.NetBSD.org>; Sat, 22 Mar 2008 13:08:00 +0000 (UTC)
Message-Id: <20080322130754.463F12D4D6@knightrider.shangtai.net>
Date: Sat, 22 Mar 2008 15:07:54 +0200 (EET)
From: duck@multi.fi
Reply-To: duck@multi.fi
To: gnats-bugs@gnats.NetBSD.org
Subject: openpam treats sufficient as optional in "prelim" phase making pam_ldap fail
X-Send-Pr-Version: 3.95
>Number: 38276
>Category: security
>Synopsis: openpam treats sufficient as optional in "prelim" phase making pam_ldap fail
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: security-officer
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Sat Mar 22 13:10:00 +0000 2008
>Last-Modified: Wed May 28 11:50:01 +0000 2008
>Originator: duck@multi.fi
>Release: NetBSD 3.1_STABLE
>Organization:
>Environment:
System: NetBSD knightrider.shangtai.net 3.1_STABLE NetBSD 3.1_STABLE (KITT) #0: Sat Mar 17 11:09:56 EET 2007 root@knightrider.shangtai.net:/usr/obj/sys/arch/alpha/compile.alpha/KITT alpha
Architecture: alpha
Machine: alpha
>Description:
I bumped into a problem previously seen by Edgar Fuss <ef@math.uni-bonn.de>
in 2007 where pam treats "sufficient" configurations as "optional" in the
"prelim" phase. This makes it impossible to change passwords in the ldap
database via passwd(1) using pam_ldap because as the ldap module is treated
as optional, the preliminary test is not stopped but continues to pam_unix or
whatever other module follows, failing the attempt.
Also note that the prelim check is not invoked if the caller is root.
See Edgar's original message: http://mail-index.netbsd.org/tech-userlevel/2007/08/25/0006.html
>How-To-Repeat:
pam_ldap will fail with the following configuration setting:
password sufficient pam_ldap.so
password required pam_unix.so
or
password sufficient pam_ldap.so
password sufficient pam_unix.so
password required pam_deny.so
both of which I understand work on linux.
>Fix:
A patch to pam_deny fixes the issue
http://mail-index.netbsd.org/tech-userlevel/2007/08/29/0001.html
>Audit-Trail:
From: Petr Padrta <padrta@chemi.muni.cz>
To: gnats-bugs@NetBSD.org
Cc: Edgar Fuss <ef@math.uni-bonn.de>
Subject: Re: security/38276
Date: Wed, 28 May 2008 12:41:34 +0200
I'd just like to note that the patch works (after the "prelim_ignore" flag is
appended to pam_deny module) but it also causes unfortunate side effect. If
you have root account in /etc/passwd and do from any other account "passwd
root" it will allow you to change root password without knowledge of the old
password!! At least it does so on my NetBSD/i386 3.1 box. From the analysis of
OpenPAM sources and the patch it seems that it is exploitable for all
local users but I'm no (Open)PAM expert so maybe I'm missing something. BTW, I
wasn't able to get rid of the problem with any combination of try_first_pass,
use_first_pass and other flags which I tried (out of desperation).
I don't have time/knowledge to mess with OpenPAM internals so for the time
being I've just commented out both pam_unix and pam_deny and changed pam_ldap
to required. Now I change my ldap passwords with "passwd" and local passwords
with "passwd -l".
----------------------------------------------------------------------
Petr Padrta
padrta@chemi.muni.cz
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.