Description of problem: Version-Release number of selected component (if applicable): all pam with the SELinux patch included (FC3,4 RHEL4) How reproducible: Try: $ echo -n <root password> | /sbin/unix_chkpwd root nonull && echo OK OK should not be printed. So the problem is in this part of SELinux patch: /* - * determine the current user's name is + * determine the current user's name is. + * On a SELinux enabled system, policy will prevent third parties from using + * unix_chkpwd as a password guesser. Leaving the existing check prevents + * su from working, Since the current uid is the users and the password is + * for root. */ - user = getuidname(getuid()); - if (argc == 2) { - /* if the caller specifies the username, verify that user - matches it */ - if (strcmp(user, argv[1])) { - force_failure = 1; - } + if (SELINUX_ENABLED) { + user=argv[1]; + } + else { + user = getuidname(getuid()); + /* if the caller specifies the username, verify that user + matches it */ + if (strcmp(user, argv[1])) { + return PAM_AUTH_ERR; + } + } So unix_chkpwd allows brute-forcing of any passwords in /etc/shadow. Also note that there is no delay if the password is incorrect - it exits immediately, and there is no logging of failed attempts.
Further information here: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=168180
*** Bug 109486 has been marked as a duplicate of this bug. ***
Created attachment 71286 [details, diff] pam-0.77-can-2005-2977.patch This tests ok, so how to procede?
Oops, missed that bug because it wasn't assigned to security. This should be committed to Portage after release date. Security: please vote on GLSA need
Public now.
pam-0.78-r3 committed
Committed directly with correct keywords, so ready for GLSA vote. I vote yes given the sensitive nature of SELinux.
I vote YES too.
GLSA 200510-22