Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 922397 - <sys-libs/pam-1.6.1: local denial of service vulnerability in ``
Summary: <sys-libs/pam-1.6.1: local denial of service vulnerability in ``
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: A3 [stable?]
Keywords: PullRequest
Depends on:
Reported: 2024-01-18 16:00 UTC by Christopher Fore
Modified: 2024-05-03 08:23 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Christopher Fore 2024-01-18 16:00:04 UTC

The PAM module explicitly supports bind mounting of polyinstantiated
directories in user controlled locations, like beneath the user's home
directory. Operating with root privileges in user controlled directories
comes with a lot of dangers. To avoid them the function `protect_dir()`
implements a special algorithm to protect the target path of a bind

The function follows the target path for the bind mount starting from
the file system root. Each path component that is under non-root control
is protected from user manipulation, by bind mounting the path upon

While this approach feels unusual, it should be effective to prevent any
shenanigans on the side of the unprivileged user for whom the directory
is mounted.

There is one bit missing though: The algorithm is not passing the
`O_DIRECTORY` flag to `openat()` and is thus subject to special files like
FIFOs being placed in user controlled directories. This can easily be
reproduced e.g. using this configuration entry in the `namespace.conf`
configuration file:

    $HOME/tmp /var/tmp/tmp-inst/ user:create root

An unprivileged user (that is not yet in a corresponding mount namespace
with ~/tmp mounted as a polyinstantiated dir) can now place a FIFO

    nobody$ mkfifo $HOME/tmp

A subsequent attempt to login as this user with `pam_namespace`
configured will cause the `openat()` in `protect_dir()` to block,
causing a local denial of service.

The above is fixed in 1.6.0 and in this commit:
Comment 1 Larry the Git Cow gentoo-dev 2024-05-03 08:21:52 UTC
The bug has been referenced in the following commit(s):

commit d95186284e3334576810a06047ffc4922c98e838
Author:     Christopher Fore <>
AuthorDate: 2024-04-22 21:27:03 +0000
Commit:     Sam James <>
CommitDate: 2024-05-03 08:12:52 +0000

    sys-libs/pam: add 1.6.1, security bump
    - Remove patch that is now included in 1.6.1
    - Tests pass
    [sam: Add USE=examples.]
    Signed-off-by: Christopher Fore <>
    Signed-off-by: Sam James <>

 sys-libs/pam/Manifest         |   2 +
 sys-libs/pam/pam-1.6.1.ebuild | 150 ++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 152 insertions(+)