From nobody@FreeBSD.org  Tue Aug 19 04:28:10 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8A574106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 19 Aug 2008 04:28:10 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 869198FC14
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 19 Aug 2008 04:28:10 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m7J4SADF010834
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 19 Aug 2008 04:28:10 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m7J4SAkI010833;
	Tue, 19 Aug 2008 04:28:10 GMT
	(envelope-from nobody)
Message-Id: <200808190428.m7J4SAkI010833@www.freebsd.org>
Date: Tue, 19 Aug 2008 04:28:10 GMT
From: Aaron Scarisbrick <aaronsca@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: pam_unix.so silently fails authenticating as non-root user
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         126650
>Category:       bin
>Synopsis:       pam_unix(8): pam_unix.so silently fails authenticating as non-root user
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Tue Aug 19 04:30:02 UTC 2008
>Closed-Date:    Wed Aug 20 10:34:53 UTC 2008
>Last-Modified:  Fri Nov 13 11:20:04 UTC 2009
>Originator:     Aaron Scarisbrick
>Release:        7.0-RELEASE-p3
>Organization:
>Environment:
FreeBSD nostromo.scarisbrick.org 7.0-RELEASE-p3 FreeBSD 7.0-RELEASE-p3 #3: Mon Jul 14 21:08:48 GMT 2008     root@nostromo.scarisbrick.org:/usr/src/sys/i386/compile/CUSTOM  i386
>Description:
In trying to get /usr/ports/net/tac_plus4 to use PAM, it would silently fail authenticating against the pam_unix.so module.  The root cause was that tac_plus was not running as root, and the getpwnam() function called by the pam_unix.so module would return a struct without a password to compare and always fail (i.e. PAM_AUTH_ERR). This made it always appear as though an incorrect password was entered, even though there was no way to verify whether it was or not.
>How-To-Repeat:
Install /usr/ports/net/tac_plus4 without OPIE or SKEY.
Configure /etc/pam.d/tac_plus to use pam_unix.so auth.
Configure /usr/local/etc/tac_plus.conf to use PAM login.
Configure /etc/rc.conf to allow tac_plus service.
Start tac_plus service via /usr/local/etc/rc.d/tac_plus
Configure NAS to use shiny new tac_plus service.
Attempt authentication on NAS.
Curse.
Lather, rinse, repeat.
>Fix:
Applying the attached patch to /usr/src/lib/libpam/modules/pam_unix/pam_unix.c should explicitly call out when a service is using the pam_unix.so module incorrectly (e.g. as a non-root user). It only reports the more descriptive error message if the password is NULL and the effective user id is not root.

Patch attached with submission follows:

--- pam_unix.c.orig	2008-08-19 03:16:47.000000000 +0000
+++ pam_unix.c	2008-08-19 03:51:04.000000000 +0000
@@ -129,6 +129,10 @@
 	if (strcmp(crypt(pass, realpw), realpw) == 0)
 		return (PAM_SUCCESS);
 
+	if (strcmp(realpw, "*") == 0 && geteuid() != 0) {
+		PAM_VERBOSE_ERROR("UNIX password field readable only by root");
+		return (PAM_CRED_UNAVAIL);
+	}
 	PAM_VERBOSE_ERROR("UNIX authentication refused");
 	return (PAM_AUTH_ERR);
 }


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Aug 20 06:14:44 UTC 2008 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126650 

From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Aaron Scarisbrick <aaronsca@gmail.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/126650: pam_unix.so silently fails authenticating as non-root user
Date: Wed, 20 Aug 2008 12:25:44 +0200

 Aaron Scarisbrick <aaronsca@gmail.com> writes:
 > Applying the attached patch to
 > /usr/src/lib/libpam/modules/pam_unix/pam_unix.c should explicitly call
 > out when a service is using the pam_unix.so module incorrectly (e.g.
 > as a non-root user).  It only reports the more descriptive error
 > message if the password is NULL and the effective user id is not root.
 
 There are a lot of assumptions here regarding the nature and semantics
 of the underlying password database (which is not necessarily spwd.db,
 since getpwnam() hooks into nsswitch).  Most of them are invalid.
 
 1) you do not necessarily have to be root to get a complete passwd
    record; it depends on the underlying nss module and other factors.
 2) conversely, even root may be unable to get a complete passwd record.
 3) an incomplete passwd record does not necessarily have the password
    set to "*".
 4) conversely, a passwd record with the password set to "*" is not
    necessary incomplete.
 
 What it boils down to is that there is no reliable way to differentiate
 the two cases (incorrect password vs. incomplete data).  The admin must
 make an educated guess and modify his configuration accordingly - either
 avoid using pam_unix in circumstances in which it won't work, or change
 the circumstances so that it will.
 
 DES
 --=20
 Dag-Erling Sm=C3=B8rgrav - des@des.no
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Wed Aug 20 10:34:52 UTC 2008 
State-Changed-Why:  
Not a bug 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126650 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/126650: commit references a PR
Date: Fri, 13 Nov 2009 11:19:39 +0000 (UTC)

 Author: des
 Date: Fri Nov 13 11:19:26 2009
 New Revision: 199248
 URL: http://svn.freebsd.org/changeset/base/199248
 
 Log:
   Note that nullok should not be used by processes that can't access the
   password database.
   
   PR:		bin/126650, misc/140514
   MFC after:	1 week
 
 Modified:
   head/lib/libpam/modules/pam_unix/pam_unix.8
 
 Modified: head/lib/libpam/modules/pam_unix/pam_unix.8
 ==============================================================================
 --- head/lib/libpam/modules/pam_unix/pam_unix.8	Fri Nov 13 09:57:50 2009	(r199247)
 +++ head/lib/libpam/modules/pam_unix/pam_unix.8	Fri Nov 13 11:19:26 2009	(r199248)
 @@ -105,6 +105,17 @@ sufficient.
  If the password database has no password for the entity being
  authenticated, then this option will forgo password prompting, and
  silently allow authentication to succeed.
 +.Pp
 +.Sy NOTE:
 +If
 +.Nm
 +is invoked by a process that does not have the privileges required to
 +access the password database (in most cases, this means root
 +privileges), the
 +.Cm nullok
 +option may cause
 +.Nm
 +to allow any user to log in with any password.
  .It Cm local_pass
  Use only the local password database, even if NIS is in use.
  This will cause an authentication failure if the system is configured
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
