Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 702252 (CVE-2019-19882) - <sys-apps/shadow-4.8-r3[pam] installs setuid binaries with permissive pam configuration allowing user/group management without authentication (CVE-2019-19882)
Summary: <sys-apps/shadow-4.8-r3[pam] installs setuid binaries with permissive pam con...
Status: RESOLVED FIXED
Alias: CVE-2019-19882
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-12-07 17:37 UTC by Michael Weiser
Modified: 2023-02-17 01:49 UTC (History)
2 users (show)

See Also:
Package list:
sys-apps/shadow-4.8-r4
Runtime testing required: ---
nattka: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Weiser 2019-12-07 17:37:35 UTC
Merging sys-apps/shadow-4.8-r1[pam] yields a number of setuid binaries in /usr/sbin:

 15518409     76 -rws--x--x   1 root     root        76840 Dec  7 17:56 /usr/sbin/groupdel
 15518431     88 -rws--x--x   1 root     root        89224 Dec  7 17:56 /usr/sbin/userdel
 15518154     60 -rws--x--x   1 root     root        59912 Dec  7 17:56 /usr/sbin/chgpasswd
 15518419     84 -rws--x--x   1 root     root        85160 Dec  7 17:56 /usr/sbin/groupmod
 15518411     84 -rws--x--x   1 root     root        85224 Dec  7 17:56 /usr/sbin/groupadd
 15518426     96 -rws--x--x   1 root     root        97416 Dec  7 17:56 /usr/sbin/newusers
 15518429    132 -rws--x--x   1 root     root       131312 Dec  7 17:56 /usr/sbin/useradd
 15518407     60 -rws--x--x   1 root     root        59976 Dec  7 17:56 /usr/sbin/chpasswd
 15518428    132 -rws--x--x   1 root     root       131088 Dec  7 17:56 /usr/sbin/usermod

It also installs respective pam.d configuration files which contain pam_permit for auth:

#%PAM-1.0 
  
auth       sufficient   pam_rootok.so
auth       required             pam_permit.so

account    include              system-auth

password   required             pam_permit.so

This effectively allows any system user to use these programs without any authentication to create, modify and delete any other system user or group:

[m@n] id
uid=1000(m) gid=1000(m) groups=1000(m),10(wheel),78(kvm),103(power)
[m@n] ls -lad /home/foo
ls: cannot access '/home/foo': No such file or directory
[m@n] grep ^foo /etc/passwd
[m@n] useradd -m foo
[m@n] ls -lad /home/foo
drwxr-xr-x 3 foo foo 4096 Dec  7 18:02 /home/foo
[m@n] grep ^foo /etc/passwd
foo:x:1001:1001::/home/foo:/bin/bash
[m@n] 

As is to be expected, removing pam_permit disables that function:

[m@n] ls -la /usr/sbin/useradd
-rws--x--x 1 root root 131312 Dec  7 17:56 /usr/sbin/useradd
[m@n] grep permit /etc/pam.d/useradd
#auth       required		pam_permit.so
password   required		pam_permit.so
[m@n] useradd -m bar
useradd: PAM: Permission denied

So does removing the setuid bit:

[m@n] ls -la /usr/sbin/useradd
-rwx--x--x 1 root root 131312 Dec  7 17:56 /usr/sbin/useradd
[m@n] grep permit /etc/pam.d/useradd
auth       required		pam_permit.so
password   required		pam_permit.so
[m@n] useradd -m bar
useradd: Permission denied.
useradd: cannot lock /etc/passwd; try again later.

<=sys-apps/shadow-4.7-r2 installs the same permissive pam configs but no setuid binaries. It seems, this was broken in the upstream package and fixed in 4.8 as told by the ChangeLog:

2019-12-01  Serge Hallyn <serge@hallyn.com>
  
        * Release 4.8
[...]
        * Fix failing chmod calls for suidubins
[...]

1. Whether the binaries are installed setuid is governed by configure flag --enable-account-tools-setuid. It is not explicitly governed by the ebuild. Its default is derived from whether --with-libpam is on. The ebuild has a $(use_with pam libpam) for that. USE flag pam is enabled in the default/linux profile and AFAICT only masked for uclibc profiles, thus very likely hitting a large number of people:

/usr/portage/profiles/default/linux/make.defaults:USE="berkdb crypt ipv6 ncurses nls pam readline ssl tcpd zlib"

A stop-gap measure is to disable USE flag pam for sys-apps/shadow, effectively reverting to the state of sys-apps/shadow-4.7-r2: permissive pam configs but no setuid binaries to expoit them.

IMO USE flag pam should be masked for sys-apps/shadow globally so users can consciously opt in to having setuid binaries and PAM functionality in this sensitive area of system management.

2. The ebuild's pam configuration is too permissive. pam_permit should be removed for auth or (more explicitly) replaced with pam_deny. pam_rootok will still permit use by root. Other directives to open it up can and must be added by the consenting admin who knows what they're doing. The upstream source contains configs that look about right:

[m@n:~/shadow-4.8] cat etc/pam.d/useradd
#%PAM-1.0
auth		sufficient	pam_rootok.so
account		required	pam_permit.so
password	include		system-auth

Reproducible: Always




Portage 2.3.81 (python 3.6.9-final-0, default/linux/amd64/17.1/desktop, gcc-9.2.0, glibc-2.30-r3, 5.4.1-gentoo x86_64)
=================================================================
System uname: Linux-5.4.1-gentoo-x86_64-Intel-R-_Core-TM-_i7-8565U_CPU_@_1.80GHz-with-gentoo-2.6
KiB Mem:    16112256 total,   4869956 free
KiB Swap:    8388604 total,   8323836 free
Timestamp of repository gentoo: Fri, 06 Dec 2019 18:00:02 +0000
Head commit of repository gentoo: 52e20370c0d974fb1452c29d755b738b6a8b0523
sh bash 5.0_p11
ld GNU ld (Gentoo 2.33.1 p1) 2.33.1
app-shells/bash:          5.0_p11::gentoo
dev-java/java-config:     2.2.0-r4::gentoo
dev-lang/perl:            5.30.1::gentoo
dev-lang/python:          2.7.17::gentoo, 3.6.9::gentoo
dev-util/cmake:           3.16.0::gentoo
sys-apps/baselayout:      2.6-r1::gentoo
sys-apps/sandbox:         2.18::gentoo
sys-devel/autoconf:       2.13-r1::gentoo, 2.69-r5::gentoo
sys-devel/automake:       1.16.1-r2::gentoo
sys-devel/binutils:       2.33.1::gentoo
sys-devel/gcc:            9.2.0-r2::gentoo
sys-devel/gcc-config:     2.1::gentoo
sys-devel/libtool:        2.4.6-r5::gentoo
sys-devel/make:           4.2.1-r4::gentoo
sys-kernel/linux-headers: 5.3-r1::gentoo (virtual/os-headers)
sys-libs/glibc:           2.30-r3::gentoo
Repositories:

gentoo
    location: /usr/portage
    sync-type: rsync
    sync-uri: rsync://rsync.gentoo.org/gentoo-portage
    priority: -1000
    sync-rsync-extra-opts: 
    sync-rsync-verify-metamanifest: yes
    sync-rsync-verify-jobs: 1
    sync-rsync-verify-max-age: 24

local
    location: /usr/local/portage
    masters: gentoo

ACCEPT_KEYWORDS="amd64 ~amd64"
ACCEPT_LICENSE="@FREE no-source-code SmartLabs freedist ISSL Atmel vlgothic quake1-textures CC-SA-1.0 BitstreamVera BAEKMUK LDP-1a man-pages mplus-fonts myspell-en_CA-KevinAtkinson UbuntuFontLicense-1.0 Texinfo-manual LDP-1 man-pages-posix wxWinFDL-3 CC-PD CC-BY-SA-1.0 man-pages-posix-2013 Unicode_Fonts_for_Ancient_Scripts MaxMind2 GPL-2+ GPL-1+ IPAfont FDL-1.1+ FDL-1.1 GPL-2 CC-BY-SA-4.0 OFL CC-BY-SA-2.0 CC-BY-2.5 Arphic GPL-3+ FDL-1.2+ CC-BY-SA-3.0 FDL-1.3 OFL-1.1 CC-BY-SA-2.5 GPL-1 OPL FDL-1.3+ FreeArt CC-BY-2.0 FDL-1.2 CC-BY-4.0 GPL-3 CC-BY-3.0 nethack BSD-2 EUPL-1.1 LGPL-3+ EPL-1.0 GPL-2+ LGPL-2.1+ GPL-1+ AGPL-3 IPAfont ISC AFL-3.0 Sleepycat W3C Artistic APSL-2 LGPL-3 MPL-1.0 GPL-2 LPPL-1.3c PSF-2 AGPL-3+ ZLIB Apache-1.1 OSL-2.1 Apache-2.0 PHP-3.01 EPL-2.0 QPL IBM Ms-PL MPL-2.0 APL-1.0 CDDL Watcom-1.0 LGPL-2.1 GPL-3+ wxWinLL-3 HPND ZPL NOSA CNRI OFL-1.1 LGPL-2+ BSD CPL-1.0 PHP-3 Boost-1.0 POSTGRESQL ECL-2.0 CPAL-1.0 GPL-3 MIT Artistic-2 MPL-1.1 UoI-NCSA EUPL-1.1 openssl EPL-1.0 NPL-1.1 BSD-4 AFL-3.0 APSL-2 MPL-1.0 Apache-1.1 gnuplot OSL-2.1 PHP-3.01 BSD-2 PYTHON IJG LGPL-3+ GPL-2+ LGPL-2.1+ gcc-runtime-library-exception-3.1 GPL-1+ GPL-2-with-font-exception AGPL-3 Ruby FTL ISC Sleepycat W3C Nokia-Qt-LGPL-Exception-1.1 GPL-2-with-linking-exception LGPL-3 metapackage PSF-2.4 GPL-2 GPL-3+-with-cuda-exception PSF-2 ZLIB AGPL-3+ GPL-2-with-classpath-exception Clear-BSD GPL-3+-with-opencl-exception Apache-2.0 qwt Apache-2.0-with-LLVM-exceptions SGI-B-2.0 libstdc++ Clarified-Artistic GPL-3+-with-opencl-openssl-exception GPL-3-with-font-exception GPL-3-with-openssl-exception GPL-2-with-exceptions libgcc GPL-2-with-MySQL-FLOSS-exception MPL-2.0 Unlicense LGPL-2 wxWinLL-3.1 public-domain Ruby-BSD LGPL-2.1 GPL-3+ PSF-2.2 HPND GPL-3+-with-cuda-openssl-exception unicode CeCILL-2 GPL-2+-with-openssl-exception LGPL-2-with-linking-exception PSF-2.3 vim Transmission-OpenSSL-exception WTFPL-2 ZPL OPENLDAP GPL-1 LGPL-2+ BSD Boost-1.0 tanuki-community CC0-1.0 LGPL-2.1-with-linking-exception LGPL-3-with-linking-exception ECL-2.0 MIT GPL-3 Artistic-2 UPX-exception UoI-NCSA EPL-2.0 OSL-1.1 QPL IBM Ms-PL CDDL Apache-1.0 Zend-2.0 OSL-2.0 QPL-1.0 CNRI AFL-2.1 CPL-1.0 LPPL-1.2 CPAL-1.0 MPL-1.1 TeX SMAIL icu LPPL-1.3b Time-modules imagemagick Khronos-CLHPP Subversion LambdaMOO rwpng tcp_wrappers_license totd Info-ZIP LIBGLOSS freetts XC Mail-Sendmail docbook FLEX ipadic alternate ElementTree lsof JNIC xbatt minpack Interbase-1.0 w3m Snd mm openafs-krb5-a the-Click-license psutils bea.ri.jsr173 eGenixPublic-1.1 CPL-0.5 SVFL Xdebug Crypt-IDEA Sendmail-Open-Source Ispell Old-MIT BEER-WARE AMPAS tcltk CeCILL-C rc torque-2.5 Flashpix FVWM Openwall rdisc LLVM-Grant shrimp TeX-other-free htmlc xtrs CMake mpich2 ngrep Time-Format scanlogd CDDL-Schily HTML-Tidy tablelist pngcrush CNRI-QUIXOTE-2.4 dom4j SSLeay URT libmng CRACKLIB iASL otter Sendmail DUMB-0.9.3 flexmock VTK regexp-UofT matplotlib MIT-with-advertising x2x boehm-gc Emacs FLTK ipx-utils bufexplorer.vim PHP-2.02 netcat gsm FastCGI gd perforce tm-align photopc libpng buddy repoze BSD-with-attribution NEWLIB IDPL BZIP2 ZSH CAOSL BSD-1 xvt CDDL-1.1 libtiff File-MMagic ErlPL-1.1 xboing inner-net NCSA-HDF Toyoda Princeton RSA JOVE feh SNIA LPPL-1.3 DES Mini-XML Allegro symlinks AIFFWriter.m PCRE pngnq UCAR-Unidata canfep JDOM libpng2 ipw3945 ipw2100-fw qlogic-fibre-channel-firmware ipw2200-fw intel-ucode unRAR linux-fw-redistributable LSI-tw_cli shmux NVIDIA-r1 Broadcom MicroChip-SDCC JSON bh-luxi bonnie sun-jlfgr Amazon"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=native -pipe -fomit-frame-pointer"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c"
CXXFLAGS="-O2 -march=native -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--jobs=4 --load-average=10"
ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR"
FCFLAGS="-O2 -march=native -pipe -fomit-frame-pointer"
FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -march=native -pipe -fomit-frame-pointer"
GENTOO_MIRRORS="http://distfiles.gentoo.org"
LANG="en_GB.utf8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j8"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git"
PORTAGE_TMPDIR="/var/tmp"
USE="X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo caps cdda cdr cli crypt cryptsetup cups cxx dbus dri dts dvd dvdr egl emboss encode exif fam filecaps flac fortran gdbm gif gles gles2 gtk iconv icu idn ipv6 jpeg lcms libnotify libtirpc mad mng mp3 mp4 mpeg multilib ncurses networkmanager nls nptl ogg opengl openmp pam pango pcre pdf pic plymouth png policykit ppds pulseaudio readline sdl seccomp spell split-usr ssl startup-notification svg systemd tcpd tiff truetype udev udisks unicode upower urandom usb user-session vaapi vorbis vulkan wayland wxwidgets x264 xattr xcb xcsecurity xml xv xvid xvmc zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LLVM_TARGETS="X86" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" QEMU_SOFTMMU_TARGETS="aarch64 arm i386 x86_64" QEMU_USER_TARGETS="aarch64 aarch64_be arm armeb" RUBY_TARGETS="ruby26" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Michael Weiser 2019-12-07 18:11:40 UTC
-pam also kills PAM support in /bin/su, /bin/passwd and /bin/login. :-/

An explicit use_enable seems the way to go:

--- /usr/portage/sys-apps/shadow/files/pam.d-include/shadow	2015-08-09 02:38:18.000000000 +0200
+++ /usr/local/portage/sys-apps/shadow/files/pam.d-include/shadow	2019-12-07 18:59:56.920440259 +0100
@@ -1,7 +1,7 @@
 #%PAM-1.0 
 
 auth       sufficient	pam_rootok.so
-auth       required		pam_permit.so
+auth       required		pam_deny.so
 
 account    include		system-auth
 
diff -ur /usr/portage/sys-apps/shadow/shadow-4.8-r1.ebuild /usr/local/portage/sys-apps/shadow/shadow-4.8-r1.ebuild
--- /usr/portage/sys-apps/shadow/shadow-4.8-r1.ebuild	2019-12-02 11:39:41.000000000 +0100
+++ /usr/local/portage/sys-apps/shadow/shadow-4.8-r1.ebuild	2019-12-07 18:59:43.413518749 +0100
@@ -12,7 +12,7 @@
 LICENSE="BSD GPL-2"
 SLOT="0"
 KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86"
-IUSE="acl audit bcrypt +cracklib nls pam selinux skey split-usr +su xattr"
+IUSE="acl audit bcrypt +cracklib nls pam selinux skey split-usr +su xattr account-tools-setuid"
 # Taken from the man/Makefile.am file.
 LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW )
 
@@ -68,6 +68,7 @@
 		$(use_with skey)
 		$(use_with su)
 		$(use_with xattr attr)
+		$(use_enable account-tools-setuid)
 	)
 	econf "${myeconfargs[@]}"
 

Incidentally this not only disables setuid install of the binaries but PAM support in them while the other tools retain PAM support:

$ ldd /bin/login /usr/sbin/useradd 
/bin/login:
	linux-vdso.so.1 (0x00007ffd217fe000)
	libpam.so.0 => /lib64/libpam.so.0 (0x00007f7bd6023000)
	libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x00007f7bd601e000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f7bd5e4c000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f7bd5e46000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f7bd607f000)
/usr/sbin/useradd:
	linux-vdso.so.1 (0x00007ffd08b68000)
	libacl.so.1 => /lib64/libacl.so.1 (0x00007f19c6602000)
	libattr.so.1 => /lib64/libattr.so.1 (0x00007f19c65fa000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f19c6428000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f19c666d000)

src/Makefile.am:
if ACCT_TOOLS_SETUID
suidusbins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod
endif
[...]
if ACCT_TOOLS_SETUID
LIBPAM_SUID  = $(LIBPAM)
else
LIBPAM_SUID  =
endif

src/useradd.c:
#ifdef ACCT_TOOLS_SETUID
#ifdef USE_PAM
[...]
        if (PAM_SUCCESS == retval) {
                retval = pam_authenticate (pamh, 0);
        }

        if (PAM_SUCCESS == retval) {
                retval = pam_acct_mgmt (pamh, 0);
        }
[...]
        (void) pam_end (pamh, retval);
#endif                          /* USE_PAM */
#endif                          /* ACCT_TOOLS_SETUID */

So install of the pam configs could be omitted in that case as well.
Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-12-08 12:22:02 UTC
Would this change be a good mitigation?

@@ -58,6 +59,7 @@
                --enable-shared=no
                --enable-static=yes
                $(use_enable nls)
+               $(use_enable !pam account-tools-setuid)
                $(use_with acl)
                $(use_with audit)
                $(use_with bcrypt)
Comment 3 Michael Weiser 2019-12-08 12:58:33 UTC
Do I understand correctly, that it is intended to:

a.) disable setuid account management tools if PAM support is enabled and
b.) enable setuid account management tools if PAM support is disabled?

What happens if someone wants c.) PAM support *and* setuid account management tools enabled?

Also, if someone disabled PAM support, wouldn't that leave them with setuid root user management binaries and no authentication whatsoever, again opening up arbitrary user management by any user on the system? I guess, the binaries could be chgrp'd to some acctmgmt group and set to mode 1710 to gain some control of that.

Configure --help reads:

  --enable-account-tools-setuid
                          Install the user and group management tools setuid
                          and authenticate the callers. This requires
                          --with-pam.

So I think, case b.) is not intended, supported nor tested. Actually, come to think of it and testing it, configure refuses that combination:

./configure --without-libpam --enable-account-tools-setuid
checking for a BSD-compatible install... /usr/bin/install -c
[...]
checking use login and su access checking if PAM not used... yes
configure: error: PAM support is required for --enable-account-tools-setuid

So I think, $(use_enable !pam account-tools-setuid) would break building with -pam.

Also, please don't forget that for case c.) (setuid + pam), the pam.d configs still need to be fixed not to leave user management open to anyone by default.
Comment 4 Larry the Git Cow gentoo-dev 2019-12-17 07:50:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f569e6070dea96b746db27eb5586f7a73c99916d

commit f569e6070dea96b746db27eb5586f7a73c99916d
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2019-12-17 07:50:29 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2019-12-17 07:50:49 +0000

    sys-apps/shadow: Revbump to no longer install binaries SUID-root
    
    Thanks-to: Michael Weiser <michael@weiser.dinsnail.net>
    Bug: https://bugs.gentoo.org/702252
    Package-Manager: Portage-2.3.82, Repoman-2.3.20
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-apps/shadow/{shadow-4.8-r1.ebuild => shadow-4.8-r2.ebuild} | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
Comment 5 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-12-17 07:52:59 UTC
To be honest, I don't see a compelling reason to install these binaries SUID-root. If someone wants to enable users to use these binaries, one can still create corresponding sudo rules.
Comment 6 Michael Weiser 2019-12-17 08:47:07 UTC
Thanks! Should we drop the IMO broken PAM configs as well? I volunteer to do a PR on GitHub if helpful.
Comment 7 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2019-12-17 09:29:16 UTC
(In reply to Michael Weiser from comment #6)
> Thanks! Should we drop the IMO broken PAM configs as well? I volunteer to do
> a PR on GitHub if helpful.

That would be great. I am not really a pam expert so I'd like to have your forthcoming PR reviewed by some other Gentoo devs.
Comment 8 Michael Weiser 2019-12-17 20:11:22 UTC
BTW: Upstream is aware of us: https://github.com/shadow-maint/shadow/pull/199 and reconsidering the default of --enable-account-tools-setuid.
Comment 9 Michael Weiser 2019-12-17 21:02:01 UTC
https://github.com/gentoo/gentoo/pull/14032
Comment 10 Larry the Git Cow gentoo-dev 2020-01-19 01:01:32 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7da130a443ab9811b242ae2cbf8259cb85d43b1

commit c7da130a443ab9811b242ae2cbf8259cb85d43b1
Author:     Michael Weiser <michael.weiser@gmx.de>
AuthorDate: 2019-12-17 19:02:40 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-01-19 01:00:17 +0000

    sys-apps/shadow: Revbump to fix up PAM configuration
    
    shadow includes a number of administrative account management binaries
    like useradd, chage and chpasswd, traditionally only useable by root.
    In shadow they can be compiled with PAM support and installed setuid.
    PAM configuration can then be used to delegate account management to
    users other than root.
    
    The previous config contained the pam_rootok module to provide default
    behaviour of allowing account management when called as root. But it
    also contained pam_permit which would allow everyone else to also do
    account management without any authentication.
    
    To close this loophole we remove pam_permit from the config. Also,
    chpasswd, chgpasswd and newusers are batch-mode mass-change tools meant
    for scripting. They only contain PAM support if configure flag
    --enable-account-tools-setuid is in effect and are then installed setuid
    root. They should use the same restrictive PAM configuration as their
    siblings.  But with setuid user management tools and PAM support within
    them disabled by commit f569e607 we can stop installing the
    configuration files as well.
    
    chfn and chsh are intended to be called by the user as self-service
    tools. For this reason they're always installed setuid root and contain
    PAM support. They should be allowed to work but maybe not without some
    prior authentication to avoid attacks such as someone finding an
    unlocked session and using chfn to redirect phone calls intended for the
    user to himself. The existing passwd config seems perfect for that and
    is aptly named in that both tools change user information normally
    stored in /etc/passwd.
    
    groupmems is another user self-service tool. It allows the user to add
    people to their user-private group, allowing them trusted access to
    normally private files. It is not installed setuid like chfn and chsh
    but always contains PAM support. Upstream installs a locked down PAM
    config by default.
    
    Since default shell profiles on Gentoo do not change umask to 0002 when
    a private user group is in use, impact will only be to allow read access
    to those additional users by default.
    
    Since the idea of adding more users to the user *private* group is
    questionable, go with upstream's default of locking the PAM config down
    so that an admin not only needs to make the binary suid but also adjust
    the PAM config, in the process hopefully considering what they're doing.
    
    Bug: https://bugs.gentoo.org/702252
    Closes: https://github.com/gentoo/gentoo/pull/14032
    Reviewed-by: Mikle Kolyada <zlogene@gentoo.org>
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-apps/shadow/files/pam.d-include/shadow-r1 |   7 +
 sys-apps/shadow/shadow-4.8-r3.ebuild          | 233 ++++++++++++++++++++++++++
 2 files changed, 240 insertions(+)
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-07 19:06:03 UTC
Lets get this stable.
Comment 12 Agostino Sarubbo gentoo-dev 2020-03-08 09:56:51 UTC
s390 stable
Comment 13 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-08 10:21:30 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2020-03-08 10:24:04 UTC
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2020-03-08 10:25:45 UTC
arm stable
Comment 16 Agostino Sarubbo gentoo-dev 2020-03-08 11:11:24 UTC
ppc stable
Comment 17 Agostino Sarubbo gentoo-dev 2020-03-08 12:13:04 UTC
x86 stable
Comment 18 Agostino Sarubbo gentoo-dev 2020-03-08 12:34:38 UTC
ia64 stable
Comment 19 Agostino Sarubbo gentoo-dev 2020-03-08 12:35:42 UTC
ppc64 stable
Comment 20 Mart Raudsepp gentoo-dev 2020-03-17 10:18:00 UTC
arm64 stable
Comment 21 Rolf Eike Beer archtester 2020-03-18 18:20:56 UTC
hppa stable
Comment 22 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 14:07:38 UTC
SuperH port disbanded.
Comment 23 Sergei Trofimovich (RETIRED) gentoo-dev 2020-04-21 07:48:34 UTC
m68k dropped stable keywords
Comment 24 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-21 07:52:02 UTC
@maintainer(s), please cleanup
Comment 25 Larry the Git Cow gentoo-dev 2020-04-21 08:24:46 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56a1b1be9d9b3661cc4f2ab036312d47892c4118

commit 56a1b1be9d9b3661cc4f2ab036312d47892c4118
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-04-21 08:13:36 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-04-21 08:24:39 +0000

    sys-apps/shadow: Security cleanup
    
    Bug: https://bugs.gentoo.org/702252
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 sys-apps/shadow/Manifest                           |   2 -
 sys-apps/shadow/files/shadow-4.7-optional_su.patch | 130 ------------
 sys-apps/shadow/shadow-4.6.ebuild                  | 214 -------------------
 sys-apps/shadow/shadow-4.7-r2.ebuild               | 236 ---------------------
 4 files changed, 582 deletions(-)
Comment 26 NATTkA bot gentoo-dev 2020-08-21 08:09:43 UTC
Unable to check for sanity:

> no match for package: sys-apps/shadow-4.8-r4
Comment 27 GLSAMaker/CVETool Bot gentoo-dev 2020-08-25 12:54:29 UTC
This issue was resolved and addressed in
 GLSA 202008-09 at https://security.gentoo.org/glsa/202008-09
by GLSA coordinator Sam James (sam_c).
Comment 28 Joakim Tjernlund 2020-09-15 09:16:20 UTC
We have an embedded ppc, 32 bits with sys-apps/shadow-4.6
USE=nls pam xattr -acl -audit -cracklib -selinux -skey
which has
ls -l /usr/sbin/{groupadd,groupdel,groupmod,useradd,userdel,usermod}
-rwxr-xr-x 1 root root  66396 Mar 28  2019 /usr/sbin/groupadd*
-rwxr-xr-x 1 root root  62212 Mar 28  2019 /usr/sbin/groupdel*
-rwxr-xr-x 1 root root  66368 Mar 28  2019 /usr/sbin/groupmod*
-rwxr-xr-x 1 root root 103748 Mar 28  2019 /usr/sbin/useradd*
-rwxr-xr-x 1 root root  70448 Mar 28  2019 /usr/sbin/userdel*
-rwxr-xr-x 1 root root  99580 Mar 28  2019 /usr/sbin/usermod*

So I suspect this version is not vulnerable ?