Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 267498 - sys-process/at-3.1.10.2-r1[pam] tries accessing /etc/shadow after dropping root privileges
Summary: sys-process/at-3.1.10.2-r1[pam] tries accessing /etc/shadow after dropping ro...
Status: CONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Lars Wendler (Polynomial-C)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-04-26 05:30 UTC by Tero Pelander
Modified: 2019-03-29 13:07 UTC (History)
6 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tero Pelander 2009-04-26 05:30:31 UTC
If at is compiled with USE=pam then users that are listed only in /etc/passwd don't work. Ldap-users do work. Explanation of reasons in
https://bugzilla.redhat.com/show_bug.cgi?id=150131

For local users following line is printed into syslog.
[atd] Authentication service cannot retrieve authentication info

Work around is to replace "account" line in /etc/pam.d/atd with following
account required pam_permit.so

pam_deny_uc.so - deny UPPERCASE characters in username (required because of ldap...)

My /etc/pamd.d/system-auth
auth	requisite	pam_deny_uc.so
auth	sufficient	pam_unix.so try_first_pass nodelay
auth	sufficient	pam_ldap.so use_first_pass
auth	required	pam_deny.so

account	required	pam_unix.so
account	sufficient	pam_localuser.so
account	sufficient	pam_ldap.so ignore_unknown_user

password required	pam_passwdqc.so min=disabled,8,8,8,7 passphrase=0 random=0
password sufficient	pam_ldap.so use_authtok
password sufficient	pam_unix.so md5 shadow use_authtok
password required	pam_deny.so

session required	pam_unix.so
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2009-04-26 10:48:05 UTC
Please don't CC maintainers/herds yourself. Leave that to the bug-wranglers.

*** This bug has been marked as a duplicate of bug 267438 ***
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2009-04-26 13:10:11 UTC
Lars, okay for the CC (somewhat) but if you read the bug you duped this against, I explicitly asked for this one!
Comment 3 SpanKY gentoo-dev 2009-04-27 04:56:01 UTC
pam team can modify the pam.d file however it sees fit
Comment 4 Lars Wendler (Polynomial-C) gentoo-dev 2009-04-27 05:11:38 UTC
(In reply to comment #2)
> Lars, okay for the CC (somewhat) but if you read the bug you duped this
> against, I explicitly asked for this one!

Sorry for that. I was in a rush when I wrangled this bug.
Comment 5 Diego Elio Pettenò (RETIRED) gentoo-dev 2010-10-31 16:05:37 UTC
This is a bug in at, not in PAM, it shouldn't drop root before calling pam_start… at a minimum it should save the DAC_OVERRIDE cap before doing that.