pam_succeed_if: prevent logging unknown user names in plaintext#985
pam_succeed_if: prevent logging unknown user names in plaintext#985lzwind wants to merge 1 commit into
Conversation
ldv-alt
left a comment
ldv-alt
left a comment
There was a problem hiding this comment.
Looks like the chosen approach is not correct. Instead, I suggest changing the logging part where the user name is printed: if audit is enabled or the user exists, print the user name as it is printed now, otherwise print an unknown user.
When a user accidentally types their password at the username prompt, pam_succeed_if logs the password in plaintext via pam_syslog. This happens because evaluate_ingroup, evaluate_notingroup, evaluate_innetgr, and evaluate_notinnetgr return PAM_AUTH_ERR or PAM_SUCCESS for non-existent users instead of PAM_USER_UNKNOWN, bypassing the existing log guard (ret != PAM_USER_UNKNOWN). Instead of changing the return values of the evaluate_* functions (which would break the expected semantics of e.g. evaluate_notingroup that should return PAM_SUCCESS when the user is not in the group), fix the logging part: check whether the user exists using pam_modutil_getpwnam(). If the user does not exist and audit is not enabled, print "unknown user" instead of the potentially sensitive user input. Fixes: linux-pam#559 Signed-off-by: Liu Zheng <liuzheng@uniontech.com>
lzwind
force-pushed
the
fix/pam_succeed_if_password_leak
branch
from
4f943f8 to
f2689ca
Compare
|
I don't see any changes in the new edition of this commit. |
lzwind
force-pushed
the
fix/pam_succeed_if_password_leak
branch
from
f2689ca to
12ac9e0
Compare
lzwind
force-pushed
the
fix/pam_succeed_if_password_leak
branch
from
12ac9e0 to
48ed3c9
Compare
|
Thank you for the suggestion. I've updated the patch to follow your approach: instead of modifying the evaluate_* functions' return values, the fix now only changes the logging part in pam_succeed_if(). After evaluate() returns, if pwd is still NULL, we call pam_modutil_getpwnam() to check whether the user exists. When the user doesn't exist and audit is not enabled, the log message prints 'unknown user' instead of the potentially sensitive user input. The evaluate_ingroup, evaluate_notingroup, evaluate_innetgr, and evaluate_notinnetgr functions remain unchanged, so their original return value semantics (e.g. evaluate_notingroup returning PAM_SUCCESS when the user is not in the group) are preserved. |
lzwind
left a comment
lzwind
left a comment
There was a problem hiding this comment.
Updated per review feedback: moved the user existence check from evaluate_* functions to the logging section. The evaluate functions' return value semantics are preserved.
2 participants
Summary
pam_succeed_iflogs the password in plaintext viapam_syslog. This happens becauseevaluate_ingroup,evaluate_notingroup,evaluate_innetgr, andevaluate_notinnetgrreturnPAM_AUTH_ERRorPAM_SUCCESSfor non-existent users instead ofPAM_USER_UNKNOWN, bypassing the existing log guard (ret != PAM_USER_UNKNOWN).evaluate_notingroupshould returnPAM_SUCCESSwhen the user is not in the group), this fix modifies the logging part: check whether the user exists usingpam_modutil_getpwnam(). If the user does not exist andauditis not enabled, print "unknown user" instead of the potentially sensitive user input.Changes
modules/pam_succeed_if/pam_succeed_if.cevaluate(), check if user exists viapam_modutil_getpwnam(). Use"unknown user"in log messages when user does not exist and audit is disabled.Test plan
pam_succeed_if.so user ingroup <group>, logs show "unknown user" instead of the passwordingroup,notingroup,innetgr,notinnetgrqualifiers all behave correctly with both existing and non-existing usersauditflag is set, the actual user input is still logged for debugging purposesFixes: #559