[Bug 604593] [NEW] pam_unix "account" returns success on a user with an invalid shadow password.
Launchpad Bug Tracker
604593 at bugs.launchpad.net
Wed Jun 8 07:04:09 UTC 2011
You have been subscribed to a public bug:
libpam-modules 1.1.1-2ubuntu5
on lucid amd64
The "account" module of pam_unix.so returns "success" if a user is known
by getpwnam but is not in /etc/shadow.
Typcial example is when LDAP is enabled both in PAM and NSS.
Give the default settings for common-account:
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so
That means that above whatever account restrictions are in place for LDAP are ignored because for a user successfully *authenticated" via LDAP, the *unix* "account" module will return success and the account module of pam_ldap won't even get called (hence the "security vulnerability").
After investigation in the source code of pam_unix, it seems it is because the "account" module of pam_unix recognises an unknown user as a valid shadow user because getspnam(3) returns a dummy entry looking like:
{sp_namp = 0x20cfa08 "test", sp_pwdp = 0x20cfa0d "*", sp_lstchg = 14802, sp_min = -1, sp_max = -1, sp_warn = -1, sp_inact = -1, sp_expire = -1, sp_flag = 0}
for unknown users.
And the pam_unix code checks for a NULL pwdp but not a "*" one:
#0 get_account_info (pamh=0x20486f0, name=0x20484e0 "test", pwd=0x7ffff56e3a50, spwdent=0x7ffff56e3a58) at passverify.c:206
206 if (*spwdent == NULL || (*spwdent)->sp_pwdp == NULL)
** Affects: libpam-ldap (Ubuntu)
Importance: Undecided
Status: Confirmed
--
pam_unix "account" returns success on a user with an invalid shadow password.
https://bugs.launchpad.net/bugs/604593
You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libpam-ldap in Ubuntu.
More information about the Ubuntu-server-bugs
mailing list