Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 109485 - sys-libs/pam: unix_chkpwd doesn't verify requesting user with SELinux (CAN-2005-2977)
Summary: sys-libs/pam: unix_chkpwd doesn't verify requesting user with SELinux (CAN-20...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4? [glsa]
Keywords:
: 109486 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-10-16 10:03 UTC by Chris PeBenito (RETIRED)
Modified: 2005-10-28 04:32 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
pam-0.77-can-2005-2977.patch (pam-0.77-can-2005-2977.patch,3.07 KB, patch)
2005-10-23 07:11 UTC, Chris PeBenito (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Chris PeBenito (RETIRED) gentoo-dev 2005-10-16 10:03:44 UTC
Description of problem:


Version-Release number of selected component (if applicable):
all pam with the SELinux patch included (FC3,4 RHEL4)

How reproducible:

Try:
$ echo -n <root password> | /sbin/unix_chkpwd root nonull && echo OK

OK should not be printed.


So the problem is in this part of SELinux patch:
        /*
-        * determine the current user's name is
+        * determine the current user's name is.
+        * On a SELinux enabled system, policy will prevent third
parties from using
+        * unix_chkpwd as a password guesser.  Leaving the existing
check prevents
+        * su from working,  Since the current uid is the users and the
password is
+        * for root.
         */
-       user = getuidname(getuid());
-       if (argc == 2) {
-           /* if the caller specifies the username, verify that user
-              matches it */
-           if (strcmp(user, argv[1])) {
-               force_failure = 1;
-           }
+       if (SELINUX_ENABLED) {
+         user=argv[1];
+       }
+       else {
+         user = getuidname(getuid());
+         /* if the caller specifies the username, verify that user
+            matches it */
+         if (strcmp(user, argv[1])) {
+           return PAM_AUTH_ERR;
+         }
+       }

So unix_chkpwd allows brute-forcing of any passwords in /etc/shadow.
Also note that there is no delay if the password is incorrect - it exits
immediately, and there is no logging of failed attempts.
Comment 1 Chris PeBenito (RETIRED) gentoo-dev 2005-10-16 10:04:57 UTC
Further information here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168180
Comment 2 rob holland (RETIRED) gentoo-dev 2005-10-16 10:06:14 UTC
*** Bug 109486 has been marked as a duplicate of this bug. ***
Comment 3 Chris PeBenito (RETIRED) gentoo-dev 2005-10-23 07:11:01 UTC
Created attachment 71286 [details, diff]
pam-0.77-can-2005-2977.patch

This tests ok, so how to procede?
Comment 4 Thierry Carrez (RETIRED) gentoo-dev 2005-10-25 07:12:33 UTC
Oops, missed that bug because it wasn't assigned to security.
This should be committed to Portage after release date.

Security: please vote on GLSA need
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-10-26 07:13:14 UTC
Public now.
Comment 6 Chris PeBenito (RETIRED) gentoo-dev 2005-10-26 07:16:16 UTC
pam-0.78-r3 committed
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-10-26 07:35:07 UTC
Committed directly with correct keywords, so ready for GLSA vote.
I vote yes given the sensitive nature of SELinux.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-26 08:44:51 UTC
I vote YES too. 
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-10-28 04:32:25 UTC
GLSA 200510-22