Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 28 Sep 2010 00:17:29 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Minor security flaw with pam_xauth

On Mon, Sep 27, 2010 at 11:36:13AM -0600, Vincent Danen wrote:
> * [2010-09-24 20:48:23 +0400] Solar Designer wrote:
> >pam_env and pam_mail accessing the target user's files as root (and thus
> >susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially
> >fixed in 1.1.2 - no CVE ID mentioned yet
> >
> >pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid)
> >and groups when accessing the target user's files (and thus potentially
> >susceptible to attacks by the user) - CVE-2010-3430
> >
> >pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the
> >setfsuid() calls succeed (no known impact with current Linux kernels,
> >but poor practice in general) - CVE-2010-3431
...
> These that are partially fixed are fixed in that git commit you noted
> previously?
> 
> http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6
> 
> Or are they fixed in different commits?  It looks like they should all
> be fixed in that commit, but I want to double-check.

No, they are not fully fixed at all.  We're working on a patch (so you
don't need to).  The commit has the mentioned partial fixes only.

> Are there patches available to fully fix these issues?  And are there
> patches for 3430 and 3431 yet?

This is the same question asked different ways.  We have a patch that
we're reviewing internally.  To be made available soon.

> I'm assuming also that those issues have
> always existed although you say 'in 1.1.2', but they would affect
> earlier versions yet, right?

The original pam_env and pam_mail issues, yes.  The partial fixes, no,
because there were no fixes at all before 1.1.2.

> Thanks for any clarification.  I'm trying to wrap my head around this
> and the impact of these issues.  They all strike me as relatively minor
> issues, but it is possible that I am missing or misunderstanding
> something here.

They're relatively minor because these modules are normally not used.
However, if the modules are used in a PAM stack on a given install, then
the original issues reported against pam_env and pam_mail by Sebastian
become major ones.

Additionally, as mentioned by Sebastian, pam_env's intended behavior is
a security risk (user-provided env vars may affect some services in ways
not expected by the sysadmin).  I am not sure how to deal with that.
Maybe improve the documentation.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ