Merging sys-apps/shadow-4.8-r1[pam] yields a number of setuid binaries in /usr/sbin: 15518409 76 -rws--x--x 1 root root 76840 Dec 7 17:56 /usr/sbin/groupdel 15518431 88 -rws--x--x 1 root root 89224 Dec 7 17:56 /usr/sbin/userdel 15518154 60 -rws--x--x 1 root root 59912 Dec 7 17:56 /usr/sbin/chgpasswd 15518419 84 -rws--x--x 1 root root 85160 Dec 7 17:56 /usr/sbin/groupmod 15518411 84 -rws--x--x 1 root root 85224 Dec 7 17:56 /usr/sbin/groupadd 15518426 96 -rws--x--x 1 root root 97416 Dec 7 17:56 /usr/sbin/newusers 15518429 132 -rws--x--x 1 root root 131312 Dec 7 17:56 /usr/sbin/useradd 15518407 60 -rws--x--x 1 root root 59976 Dec 7 17:56 /usr/sbin/chpasswd 15518428 132 -rws--x--x 1 root root 131088 Dec 7 17:56 /usr/sbin/usermod It also installs respective pam.d configuration files which contain pam_permit for auth: #%PAM-1.0 auth sufficient pam_rootok.so auth required pam_permit.so account include system-auth password required pam_permit.so This effectively allows any system user to use these programs without any authentication to create, modify and delete any other system user or group: [m@n] id uid=1000(m) gid=1000(m) groups=1000(m),10(wheel),78(kvm),103(power) [m@n] ls -lad /home/foo ls: cannot access '/home/foo': No such file or directory [m@n] grep ^foo /etc/passwd [m@n] useradd -m foo [m@n] ls -lad /home/foo drwxr-xr-x 3 foo foo 4096 Dec 7 18:02 /home/foo [m@n] grep ^foo /etc/passwd foo:x:1001:1001::/home/foo:/bin/bash [m@n] As is to be expected, removing pam_permit disables that function: [m@n] ls -la /usr/sbin/useradd -rws--x--x 1 root root 131312 Dec 7 17:56 /usr/sbin/useradd [m@n] grep permit /etc/pam.d/useradd #auth required pam_permit.so password required pam_permit.so [m@n] useradd -m bar useradd: PAM: Permission denied So does removing the setuid bit: [m@n] ls -la /usr/sbin/useradd -rwx--x--x 1 root root 131312 Dec 7 17:56 /usr/sbin/useradd [m@n] grep permit /etc/pam.d/useradd auth required pam_permit.so password required pam_permit.so [m@n] useradd -m bar useradd: Permission denied. useradd: cannot lock /etc/passwd; try again later. <=sys-apps/shadow-4.7-r2 installs the same permissive pam configs but no setuid binaries. It seems, this was broken in the upstream package and fixed in 4.8 as told by the ChangeLog: 2019-12-01 Serge Hallyn <serge@hallyn.com> * Release 4.8 [...] * Fix failing chmod calls for suidubins [...] 1. Whether the binaries are installed setuid is governed by configure flag --enable-account-tools-setuid. It is not explicitly governed by the ebuild. Its default is derived from whether --with-libpam is on. The ebuild has a $(use_with pam libpam) for that. USE flag pam is enabled in the default/linux profile and AFAICT only masked for uclibc profiles, thus very likely hitting a large number of people: /usr/portage/profiles/default/linux/make.defaults:USE="berkdb crypt ipv6 ncurses nls pam readline ssl tcpd zlib" A stop-gap measure is to disable USE flag pam for sys-apps/shadow, effectively reverting to the state of sys-apps/shadow-4.7-r2: permissive pam configs but no setuid binaries to expoit them. IMO USE flag pam should be masked for sys-apps/shadow globally so users can consciously opt in to having setuid binaries and PAM functionality in this sensitive area of system management. 2. The ebuild's pam configuration is too permissive. pam_permit should be removed for auth or (more explicitly) replaced with pam_deny. pam_rootok will still permit use by root. Other directives to open it up can and must be added by the consenting admin who knows what they're doing. The upstream source contains configs that look about right: [m@n:~/shadow-4.8] cat etc/pam.d/useradd #%PAM-1.0 auth sufficient pam_rootok.so account required pam_permit.so password include system-auth Reproducible: Always Portage 2.3.81 (python 3.6.9-final-0, default/linux/amd64/17.1/desktop, gcc-9.2.0, glibc-2.30-r3, 5.4.1-gentoo x86_64) ================================================================= System uname: Linux-5.4.1-gentoo-x86_64-Intel-R-_Core-TM-_i7-8565U_CPU_@_1.80GHz-with-gentoo-2.6 KiB Mem: 16112256 total, 4869956 free KiB Swap: 8388604 total, 8323836 free Timestamp of repository gentoo: Fri, 06 Dec 2019 18:00:02 +0000 Head commit of repository gentoo: 52e20370c0d974fb1452c29d755b738b6a8b0523 sh bash 5.0_p11 ld GNU ld (Gentoo 2.33.1 p1) 2.33.1 app-shells/bash: 5.0_p11::gentoo dev-java/java-config: 2.2.0-r4::gentoo dev-lang/perl: 5.30.1::gentoo dev-lang/python: 2.7.17::gentoo, 3.6.9::gentoo dev-util/cmake: 3.16.0::gentoo sys-apps/baselayout: 2.6-r1::gentoo sys-apps/sandbox: 2.18::gentoo sys-devel/autoconf: 2.13-r1::gentoo, 2.69-r5::gentoo sys-devel/automake: 1.16.1-r2::gentoo sys-devel/binutils: 2.33.1::gentoo sys-devel/gcc: 9.2.0-r2::gentoo sys-devel/gcc-config: 2.1::gentoo sys-devel/libtool: 2.4.6-r5::gentoo sys-devel/make: 4.2.1-r4::gentoo sys-kernel/linux-headers: 5.3-r1::gentoo (virtual/os-headers) sys-libs/glibc: 2.30-r3::gentoo Repositories: gentoo location: /usr/portage sync-type: rsync sync-uri: rsync://rsync.gentoo.org/gentoo-portage priority: -1000 sync-rsync-extra-opts: sync-rsync-verify-metamanifest: yes sync-rsync-verify-jobs: 1 sync-rsync-verify-max-age: 24 local location: /usr/local/portage masters: gentoo ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="@FREE no-source-code SmartLabs freedist ISSL Atmel vlgothic quake1-textures CC-SA-1.0 BitstreamVera BAEKMUK LDP-1a man-pages mplus-fonts myspell-en_CA-KevinAtkinson UbuntuFontLicense-1.0 Texinfo-manual LDP-1 man-pages-posix wxWinFDL-3 CC-PD CC-BY-SA-1.0 man-pages-posix-2013 Unicode_Fonts_for_Ancient_Scripts MaxMind2 GPL-2+ GPL-1+ IPAfont FDL-1.1+ FDL-1.1 GPL-2 CC-BY-SA-4.0 OFL CC-BY-SA-2.0 CC-BY-2.5 Arphic GPL-3+ FDL-1.2+ CC-BY-SA-3.0 FDL-1.3 OFL-1.1 CC-BY-SA-2.5 GPL-1 OPL FDL-1.3+ FreeArt CC-BY-2.0 FDL-1.2 CC-BY-4.0 GPL-3 CC-BY-3.0 nethack BSD-2 EUPL-1.1 LGPL-3+ EPL-1.0 GPL-2+ LGPL-2.1+ GPL-1+ AGPL-3 IPAfont ISC AFL-3.0 Sleepycat W3C Artistic APSL-2 LGPL-3 MPL-1.0 GPL-2 LPPL-1.3c PSF-2 AGPL-3+ ZLIB Apache-1.1 OSL-2.1 Apache-2.0 PHP-3.01 EPL-2.0 QPL IBM Ms-PL MPL-2.0 APL-1.0 CDDL Watcom-1.0 LGPL-2.1 GPL-3+ wxWinLL-3 HPND ZPL NOSA CNRI OFL-1.1 LGPL-2+ BSD CPL-1.0 PHP-3 Boost-1.0 POSTGRESQL ECL-2.0 CPAL-1.0 GPL-3 MIT Artistic-2 MPL-1.1 UoI-NCSA EUPL-1.1 openssl EPL-1.0 NPL-1.1 BSD-4 AFL-3.0 APSL-2 MPL-1.0 Apache-1.1 gnuplot OSL-2.1 PHP-3.01 BSD-2 PYTHON IJG LGPL-3+ GPL-2+ LGPL-2.1+ gcc-runtime-library-exception-3.1 GPL-1+ GPL-2-with-font-exception AGPL-3 Ruby FTL ISC Sleepycat W3C Nokia-Qt-LGPL-Exception-1.1 GPL-2-with-linking-exception LGPL-3 metapackage PSF-2.4 GPL-2 GPL-3+-with-cuda-exception PSF-2 ZLIB AGPL-3+ GPL-2-with-classpath-exception Clear-BSD GPL-3+-with-opencl-exception Apache-2.0 qwt Apache-2.0-with-LLVM-exceptions SGI-B-2.0 libstdc++ Clarified-Artistic GPL-3+-with-opencl-openssl-exception GPL-3-with-font-exception GPL-3-with-openssl-exception GPL-2-with-exceptions libgcc GPL-2-with-MySQL-FLOSS-exception MPL-2.0 Unlicense LGPL-2 wxWinLL-3.1 public-domain Ruby-BSD LGPL-2.1 GPL-3+ PSF-2.2 HPND GPL-3+-with-cuda-openssl-exception unicode CeCILL-2 GPL-2+-with-openssl-exception LGPL-2-with-linking-exception PSF-2.3 vim Transmission-OpenSSL-exception WTFPL-2 ZPL OPENLDAP GPL-1 LGPL-2+ BSD Boost-1.0 tanuki-community CC0-1.0 LGPL-2.1-with-linking-exception LGPL-3-with-linking-exception ECL-2.0 MIT GPL-3 Artistic-2 UPX-exception UoI-NCSA EPL-2.0 OSL-1.1 QPL IBM Ms-PL CDDL Apache-1.0 Zend-2.0 OSL-2.0 QPL-1.0 CNRI AFL-2.1 CPL-1.0 LPPL-1.2 CPAL-1.0 MPL-1.1 TeX SMAIL icu LPPL-1.3b Time-modules imagemagick Khronos-CLHPP Subversion LambdaMOO rwpng tcp_wrappers_license totd Info-ZIP LIBGLOSS freetts XC Mail-Sendmail docbook FLEX ipadic alternate ElementTree lsof JNIC xbatt minpack Interbase-1.0 w3m Snd mm openafs-krb5-a the-Click-license psutils bea.ri.jsr173 eGenixPublic-1.1 CPL-0.5 SVFL Xdebug Crypt-IDEA Sendmail-Open-Source Ispell Old-MIT BEER-WARE AMPAS tcltk CeCILL-C rc torque-2.5 Flashpix FVWM Openwall rdisc LLVM-Grant shrimp TeX-other-free htmlc xtrs CMake mpich2 ngrep Time-Format scanlogd CDDL-Schily HTML-Tidy tablelist pngcrush CNRI-QUIXOTE-2.4 dom4j SSLeay URT libmng CRACKLIB iASL otter Sendmail DUMB-0.9.3 flexmock VTK regexp-UofT matplotlib MIT-with-advertising x2x boehm-gc Emacs FLTK ipx-utils bufexplorer.vim PHP-2.02 netcat gsm FastCGI gd perforce tm-align photopc libpng buddy repoze BSD-with-attribution NEWLIB IDPL BZIP2 ZSH CAOSL BSD-1 xvt CDDL-1.1 libtiff File-MMagic ErlPL-1.1 xboing inner-net NCSA-HDF Toyoda Princeton RSA JOVE feh SNIA LPPL-1.3 DES Mini-XML Allegro symlinks AIFFWriter.m PCRE pngnq UCAR-Unidata canfep JDOM libpng2 ipw3945 ipw2100-fw qlogic-fibre-channel-firmware ipw2200-fw intel-ucode unRAR linux-fw-redistributable LSI-tw_cli shmux NVIDIA-r1 Broadcom MicroChip-SDCC JSON bh-luxi bonnie sun-jlfgr Amazon" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=native -pipe -fomit-frame-pointer" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/lib64/libreoffice/program/sofficerc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=native -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--jobs=4 --load-average=10" ENV_UNSET="DBUS_SESSION_BUS_ADDRESS DISPLAY GOBIN PERL5LIB PERL5OPT PERLPREFIX PERL_CORE PERL_MB_OPT PERL_MM_OPT XAUTHORITY XDG_CACHE_HOME XDG_CONFIG_HOME XDG_DATA_HOME XDG_RUNTIME_DIR" FCFLAGS="-O2 -march=native -pipe -fomit-frame-pointer" FEATURES="assume-digests binpkg-docompress binpkg-dostrip binpkg-logs collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles ipc-sandbox merge-sync multilib-strict network-sandbox news parallel-fetch pid-sandbox preserve-libs protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -march=native -pipe -fomit-frame-pointer" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_GB.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j8" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --exclude=/.git" PORTAGE_TMPDIR="/var/tmp" USE="X a52 aac acl acpi alsa amd64 berkdb bluetooth branding bzip2 cairo caps cdda cdr cli crypt cryptsetup cups cxx dbus dri dts dvd dvdr egl emboss encode exif fam filecaps flac fortran gdbm gif gles gles2 gtk iconv icu idn ipv6 jpeg lcms libnotify libtirpc mad mng mp3 mp4 mpeg multilib ncurses networkmanager nls nptl ogg opengl openmp pam pango pcre pdf pic plymouth png policykit ppds pulseaudio readline sdl seccomp spell split-usr ssl startup-notification svg systemd tcpd tiff truetype udev udisks unicode upower urandom usb user-session vaapi vorbis vulkan wayland wxwidgets x264 xattr xcb xcsecurity xml xv xvid xvmc zlib" ABI_X86="64" ADA_TARGET="gnat_2018" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="karbon sheets words" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" CPU_FLAGS_X86="aes avx avx2 f16c fma3 mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock greis isync itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf skytraq superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="libinput keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LLVM_TARGETS="X86" NETBEANS_MODULES="apisupport cnd groovy gsf harness ide identity j2ee java mobility nb php profiler soa visualweb webcommon websvccommon xml" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php7-2" POSTGRES_TARGETS="postgres10 postgres11" PYTHON_SINGLE_TARGET="python3_6" PYTHON_TARGETS="python2_7 python3_6" QEMU_SOFTMMU_TARGETS="aarch64 arm i386 x86_64" QEMU_USER_TARGETS="aarch64 aarch64_be arm armeb" RUBY_TARGETS="ruby26" USERLAND="GNU" VIDEO_CARDS="intel i965" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CC, CPPFLAGS, CTARGET, CXX, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BINHOST, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
-pam also kills PAM support in /bin/su, /bin/passwd and /bin/login. :-/ An explicit use_enable seems the way to go: --- /usr/portage/sys-apps/shadow/files/pam.d-include/shadow 2015-08-09 02:38:18.000000000 +0200 +++ /usr/local/portage/sys-apps/shadow/files/pam.d-include/shadow 2019-12-07 18:59:56.920440259 +0100 @@ -1,7 +1,7 @@ #%PAM-1.0 auth sufficient pam_rootok.so -auth required pam_permit.so +auth required pam_deny.so account include system-auth diff -ur /usr/portage/sys-apps/shadow/shadow-4.8-r1.ebuild /usr/local/portage/sys-apps/shadow/shadow-4.8-r1.ebuild --- /usr/portage/sys-apps/shadow/shadow-4.8-r1.ebuild 2019-12-02 11:39:41.000000000 +0100 +++ /usr/local/portage/sys-apps/shadow/shadow-4.8-r1.ebuild 2019-12-07 18:59:43.413518749 +0100 @@ -12,7 +12,7 @@ LICENSE="BSD GPL-2" SLOT="0" KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sh ~sparc ~x86" -IUSE="acl audit bcrypt +cracklib nls pam selinux skey split-usr +su xattr" +IUSE="acl audit bcrypt +cracklib nls pam selinux skey split-usr +su xattr account-tools-setuid" # Taken from the man/Makefile.am file. LANGS=( cs da de es fi fr hu id it ja ko pl pt_BR ru sv tr zh_CN zh_TW ) @@ -68,6 +68,7 @@ $(use_with skey) $(use_with su) $(use_with xattr attr) + $(use_enable account-tools-setuid) ) econf "${myeconfargs[@]}" Incidentally this not only disables setuid install of the binaries but PAM support in them while the other tools retain PAM support: $ ldd /bin/login /usr/sbin/useradd /bin/login: linux-vdso.so.1 (0x00007ffd217fe000) libpam.so.0 => /lib64/libpam.so.0 (0x00007f7bd6023000) libpam_misc.so.0 => /lib64/libpam_misc.so.0 (0x00007f7bd601e000) libc.so.6 => /lib64/libc.so.6 (0x00007f7bd5e4c000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f7bd5e46000) /lib64/ld-linux-x86-64.so.2 (0x00007f7bd607f000) /usr/sbin/useradd: linux-vdso.so.1 (0x00007ffd08b68000) libacl.so.1 => /lib64/libacl.so.1 (0x00007f19c6602000) libattr.so.1 => /lib64/libattr.so.1 (0x00007f19c65fa000) libc.so.6 => /lib64/libc.so.6 (0x00007f19c6428000) /lib64/ld-linux-x86-64.so.2 (0x00007f19c666d000) src/Makefile.am: if ACCT_TOOLS_SETUID suidusbins += chgpasswd chpasswd groupadd groupdel groupmod newusers useradd userdel usermod endif [...] if ACCT_TOOLS_SETUID LIBPAM_SUID = $(LIBPAM) else LIBPAM_SUID = endif src/useradd.c: #ifdef ACCT_TOOLS_SETUID #ifdef USE_PAM [...] if (PAM_SUCCESS == retval) { retval = pam_authenticate (pamh, 0); } if (PAM_SUCCESS == retval) { retval = pam_acct_mgmt (pamh, 0); } [...] (void) pam_end (pamh, retval); #endif /* USE_PAM */ #endif /* ACCT_TOOLS_SETUID */ So install of the pam configs could be omitted in that case as well.
Would this change be a good mitigation? @@ -58,6 +59,7 @@ --enable-shared=no --enable-static=yes $(use_enable nls) + $(use_enable !pam account-tools-setuid) $(use_with acl) $(use_with audit) $(use_with bcrypt)
Do I understand correctly, that it is intended to: a.) disable setuid account management tools if PAM support is enabled and b.) enable setuid account management tools if PAM support is disabled? What happens if someone wants c.) PAM support *and* setuid account management tools enabled? Also, if someone disabled PAM support, wouldn't that leave them with setuid root user management binaries and no authentication whatsoever, again opening up arbitrary user management by any user on the system? I guess, the binaries could be chgrp'd to some acctmgmt group and set to mode 1710 to gain some control of that. Configure --help reads: --enable-account-tools-setuid Install the user and group management tools setuid and authenticate the callers. This requires --with-pam. So I think, case b.) is not intended, supported nor tested. Actually, come to think of it and testing it, configure refuses that combination: ./configure --without-libpam --enable-account-tools-setuid checking for a BSD-compatible install... /usr/bin/install -c [...] checking use login and su access checking if PAM not used... yes configure: error: PAM support is required for --enable-account-tools-setuid So I think, $(use_enable !pam account-tools-setuid) would break building with -pam. Also, please don't forget that for case c.) (setuid + pam), the pam.d configs still need to be fixed not to leave user management open to anyone by default.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f569e6070dea96b746db27eb5586f7a73c99916d commit f569e6070dea96b746db27eb5586f7a73c99916d Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2019-12-17 07:50:29 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2019-12-17 07:50:49 +0000 sys-apps/shadow: Revbump to no longer install binaries SUID-root Thanks-to: Michael Weiser <michael@weiser.dinsnail.net> Bug: https://bugs.gentoo.org/702252 Package-Manager: Portage-2.3.82, Repoman-2.3.20 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> sys-apps/shadow/{shadow-4.8-r1.ebuild => shadow-4.8-r2.ebuild} | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
To be honest, I don't see a compelling reason to install these binaries SUID-root. If someone wants to enable users to use these binaries, one can still create corresponding sudo rules.
Thanks! Should we drop the IMO broken PAM configs as well? I volunteer to do a PR on GitHub if helpful.
(In reply to Michael Weiser from comment #6) > Thanks! Should we drop the IMO broken PAM configs as well? I volunteer to do > a PR on GitHub if helpful. That would be great. I am not really a pam expert so I'd like to have your forthcoming PR reviewed by some other Gentoo devs.
BTW: Upstream is aware of us: https://github.com/shadow-maint/shadow/pull/199 and reconsidering the default of --enable-account-tools-setuid.
https://github.com/gentoo/gentoo/pull/14032
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c7da130a443ab9811b242ae2cbf8259cb85d43b1 commit c7da130a443ab9811b242ae2cbf8259cb85d43b1 Author: Michael Weiser <michael.weiser@gmx.de> AuthorDate: 2019-12-17 19:02:40 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-01-19 01:00:17 +0000 sys-apps/shadow: Revbump to fix up PAM configuration shadow includes a number of administrative account management binaries like useradd, chage and chpasswd, traditionally only useable by root. In shadow they can be compiled with PAM support and installed setuid. PAM configuration can then be used to delegate account management to users other than root. The previous config contained the pam_rootok module to provide default behaviour of allowing account management when called as root. But it also contained pam_permit which would allow everyone else to also do account management without any authentication. To close this loophole we remove pam_permit from the config. Also, chpasswd, chgpasswd and newusers are batch-mode mass-change tools meant for scripting. They only contain PAM support if configure flag --enable-account-tools-setuid is in effect and are then installed setuid root. They should use the same restrictive PAM configuration as their siblings. But with setuid user management tools and PAM support within them disabled by commit f569e607 we can stop installing the configuration files as well. chfn and chsh are intended to be called by the user as self-service tools. For this reason they're always installed setuid root and contain PAM support. They should be allowed to work but maybe not without some prior authentication to avoid attacks such as someone finding an unlocked session and using chfn to redirect phone calls intended for the user to himself. The existing passwd config seems perfect for that and is aptly named in that both tools change user information normally stored in /etc/passwd. groupmems is another user self-service tool. It allows the user to add people to their user-private group, allowing them trusted access to normally private files. It is not installed setuid like chfn and chsh but always contains PAM support. Upstream installs a locked down PAM config by default. Since default shell profiles on Gentoo do not change umask to 0002 when a private user group is in use, impact will only be to allow read access to those additional users by default. Since the idea of adding more users to the user *private* group is questionable, go with upstream's default of locking the PAM config down so that an admin not only needs to make the binary suid but also adjust the PAM config, in the process hopefully considering what they're doing. Bug: https://bugs.gentoo.org/702252 Closes: https://github.com/gentoo/gentoo/pull/14032 Reviewed-by: Mikle Kolyada <zlogene@gentoo.org> Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> sys-apps/shadow/files/pam.d-include/shadow-r1 | 7 + sys-apps/shadow/shadow-4.8-r3.ebuild | 233 ++++++++++++++++++++++++++ 2 files changed, 240 insertions(+)
Lets get this stable.
s390 stable
amd64 stable
sparc stable
arm stable
ppc stable
x86 stable
ia64 stable
ppc64 stable
arm64 stable
hppa stable
SuperH port disbanded.
m68k dropped stable keywords
@maintainer(s), please cleanup
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=56a1b1be9d9b3661cc4f2ab036312d47892c4118 commit 56a1b1be9d9b3661cc4f2ab036312d47892c4118 Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-04-21 08:13:36 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-04-21 08:24:39 +0000 sys-apps/shadow: Security cleanup Bug: https://bugs.gentoo.org/702252 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> sys-apps/shadow/Manifest | 2 - sys-apps/shadow/files/shadow-4.7-optional_su.patch | 130 ------------ sys-apps/shadow/shadow-4.6.ebuild | 214 ------------------- sys-apps/shadow/shadow-4.7-r2.ebuild | 236 --------------------- 4 files changed, 582 deletions(-)
Unable to check for sanity: > no match for package: sys-apps/shadow-4.8-r4
This issue was resolved and addressed in GLSA 202008-09 at https://security.gentoo.org/glsa/202008-09 by GLSA coordinator Sam James (sam_c).
We have an embedded ppc, 32 bits with sys-apps/shadow-4.6 USE=nls pam xattr -acl -audit -cracklib -selinux -skey which has ls -l /usr/sbin/{groupadd,groupdel,groupmod,useradd,userdel,usermod} -rwxr-xr-x 1 root root 66396 Mar 28 2019 /usr/sbin/groupadd* -rwxr-xr-x 1 root root 62212 Mar 28 2019 /usr/sbin/groupdel* -rwxr-xr-x 1 root root 66368 Mar 28 2019 /usr/sbin/groupmod* -rwxr-xr-x 1 root root 103748 Mar 28 2019 /usr/sbin/useradd* -rwxr-xr-x 1 root root 70448 Mar 28 2019 /usr/sbin/userdel* -rwxr-xr-x 1 root root 99580 Mar 28 2019 /usr/sbin/usermod* So I suspect this version is not vulnerable ?