From pajs@carrick.bishnet.net  Thu Nov 12 21:50:36 2009
Return-Path: <pajs@carrick.bishnet.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 53C091065672
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 12 Nov 2009 21:50:36 +0000 (UTC)
	(envelope-from pajs@carrick.bishnet.net)
Received: from carrick.bishnet.net (carrick.bishnet.net [IPv6:2a01:348:132::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 1A2848FC13
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 12 Nov 2009 21:50:36 +0000 (UTC)
Received: from pajs by carrick.bishnet.net with local (Exim 4.66 (FreeBSD))
	(envelope-from <pajs@carrick.bishnet.net>)
	id 1N8hYc-0000jM-Gi
	for FreeBSD-gnats-submit@freebsd.org; Thu, 12 Nov 2009 21:50:22 +0000
Message-Id: <E1N8hYc-0000jM-Gi@carrick.bishnet.net>
Date: Thu, 12 Nov 2009 21:50:22 +0000
From: P.A.J.Saunders <pajs@fodder.org.uk>
Reply-To: P.A.J.Saunders <pajs@fodder.org.uk>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: PAM can give PAM_SUCCESS when infact it should give PAM_CRED_INSUFFICIENT
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         140514
>Category:       kern
>Synopsis:       [pam] PAM can give PAM_SUCCESS when infact it should give PAM_CRED_INSUFFICIENT
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    des
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Nov 12 22:00:06 UTC 2009
>Closed-Date:    
>Last-Modified:  Mon Nov 16 06:06:51 UTC 2009
>Originator:     Peter Saunders
>Release:        FreeBSD 8.0-RC1 i386
>Organization:
>Environment:
System: FreeBSD 8.0-RC1 FreeBSD 8.0-RC1 #2: Mon Oct 5 17:18:42 BST 2009 i386
System: FreeBSD 6.2-RELEASE-p3 FreeBSD 6.2-RELEASE-p3 #2: Sun Apr 1 14:43:00 BST 2007  i386

>Description:
If an application is not running as root, and the pam stack has pam_unix it, and has the nullok option set
it will always return PAM_SUCCESS for any password given on a valid user name. This is related to 126650
which was filed as not a bug - however, it did not mention that applications could also be given 
PAM_SUCCESS for incorrect passwords.

>How-To-Repeat:
Have an application use pam as non root, with nullok set.

>Fix:
Unknown as detailed in 126650.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: remko 
Responsible-Changed-When: Fri Nov 13 08:19:30 UTC 2009 
Responsible-Changed-Why:  
Hi Dag-Erling, can you have a look at this please? I suspect that we will 
end up the same way we did with: 126650, because you mention something 
similiar there. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=140514 

From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: "P.A.J.Saunders" <pajs@fodder.org.uk>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: misc/140514: PAM can give PAM_SUCCESS when infact it should give PAM_CRED_INSUFFICIENT
Date: Fri, 13 Nov 2009 09:51:31 +0100

 "P.A.J.Saunders" <pajs@fodder.org.uk> writes:
 > If an application is not running as root, and the pam stack has
 > pam_unix it, and has the nullok option set it will always return
 > PAM_SUCCESS for any password given on a valid user name. This is
 > related to 126650 which was filed as not a bug - however, it did not
 > mention that applications could also be given PAM_SUCCESS for
 > incorrect passwords.
 
 You should read my reply to bin/126650 more carefully...  The correct
 "fix" for this PR is probably simply to mention in pam_unix(8) that
 "nullok" means "anything goes" if PAM is not running as root.
 
 Before you say "just return PAM_CRED_INSUFFICIENT if geteuid() !=3D 0",
 remember that getpwnam() is backed by nsswitch, so we should not assume
 that only root can get a valid result.
 
 If you have a more creative solution, patches are welcome, but as things
 stand, I would classify this as a configuration error.
 
 DES
 --=20
 Dag-Erling Sm=C3=B8rgrav - des@des.no

From: Peter Saunders <pajs@fodder.org.uk>
To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@des.no>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: misc/140514: PAM can give PAM_SUCCESS when infact it should give PAM_CRED_INSUFFICIENT
Date: Fri, 13 Nov 2009 08:59:55 +0000

 On Fri, Nov 13, 2009 at 09:51:31AM +0100, Dag-Erling Smrgrav wrote:
 > You should read my reply to bin/126650 more carefully...  The correct
 > "fix" for this PR is probably simply to mention in pam_unix(8) that
 > "nullok" means "anything goes" if PAM is not running as root.
 > 
 > Before you say "just return PAM_CRED_INSUFFICIENT if geteuid() != 0",
 > remember that getpwnam() is backed by nsswitch, so we should not assume
 > that only root can get a valid result.
 > 
 > If you have a more creative solution, patches are welcome, but as things
 > stand, I would classify this as a configuration error.
 
 I would be happy if it was mentioned in pam_unix(8) - but also, removing
 nullok from the default "system" pam stack - so at least it is less
 likely to catch people unaware?
 
 Thanks
 Pete

From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Peter Saunders <pajs@fodder.org.uk>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: misc/140514: PAM can give PAM_SUCCESS when infact it should give PAM_CRED_INSUFFICIENT
Date: Fri, 13 Nov 2009 12:11:59 +0100

 Peter Saunders <pajs@fodder.org.uk> writes:
 > I would be happy if it was mentioned in pam_unix(8) - but also, removing
 > nullok from the default "system" pam stack - so at least it is less
 > likely to catch people unaware?
 
 The system stack is not intended to be used by non-root processes.
 
 DES
 --=20
 Dag-Erling Sm=C3=B8rgrav - des@des.no

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: misc/140514: commit references a PR
Date: Fri, 13 Nov 2009 11:19:39 +0000 (UTC)

 Author: des
 Date: Fri Nov 13 11:19:26 2009
 New Revision: 199248
 URL: http://svn.freebsd.org/changeset/base/199248
 
 Log:
   Note that nullok should not be used by processes that can't access the
   password database.
   
   PR:		bin/126650, misc/140514
   MFC after:	1 week
 
 Modified:
   head/lib/libpam/modules/pam_unix/pam_unix.8
 
 Modified: head/lib/libpam/modules/pam_unix/pam_unix.8
 ==============================================================================
 --- head/lib/libpam/modules/pam_unix/pam_unix.8	Fri Nov 13 09:57:50 2009	(r199247)
 +++ head/lib/libpam/modules/pam_unix/pam_unix.8	Fri Nov 13 11:19:26 2009	(r199248)
 @@ -105,6 +105,17 @@ sufficient.
  If the password database has no password for the entity being
  authenticated, then this option will forgo password prompting, and
  silently allow authentication to succeed.
 +.Pp
 +.Sy NOTE:
 +If
 +.Nm
 +is invoked by a process that does not have the privileges required to
 +access the password database (in most cases, this means root
 +privileges), the
 +.Cm nullok
 +option may cause
 +.Nm
 +to allow any user to log in with any password.
  .It Cm local_pass
  Use only the local password database, even if NIS is in use.
  This will cause an authentication failure if the system is configured
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
