[Bug 1804417] [NEW] runuser doesn't authenticate PAM modules
Tobias Karnat
1804417 at bugs.launchpad.net
Wed Nov 21 10:50:06 UTC 2018
Public bug reported:
We use the pam_localuser.so PAM module to authenticate only local users for root to become.
Because we don't want that root can become a domain user (as we use sssd with ad integration).
This works well with the su program, but fails with runuser.
We added the following in front of pam_rootok.so in the files /etc/pam.d/su and runuser:
auth required pam_localuser.so
As I have found out, this behaviour can easily be changed by applying the following patch:
diff -urN util-linux-2.31.1/login-utils/su-common.c util-linux-2.31.1/login-utils/su-common.c
--- util-linux-2.31.1/login-utils/su-common.c 2018-11-21 10:56:05.100179733 +0100
+++ util-linux-2.31.1/login-utils/su-common.c 2018-11-21 11:10:40.458312830 +0100
@@ -709,7 +709,6 @@
*/
if (su->restricted)
errx(EXIT_FAILURE, _("may not be used by non-root users"));
- return;
}
rc = pam_authenticate(su->pamh, 0);
And it works as expected:
# runuser domainuser
runuser: Permission denied
However, we would always need to recompile util-linux as new security
updates come out.
Could this please be applied to the Ubuntu repository and backported for bionic?
I will contact the util-linux maintainer separately in order to get this upstream.
** Affects: util-linux (Ubuntu)
Importance: Undecided
Status: New
** Patch added: "util-linux_2.31.1_runuser_pam.patch"
https://bugs.launchpad.net/bugs/1804417/+attachment/5214930/+files/util-linux_2.31.1_runuser_pam.patch
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1804417
Title:
runuser doesn't authenticate PAM modules
Status in util-linux package in Ubuntu:
New
Bug description:
We use the pam_localuser.so PAM module to authenticate only local users for root to become.
Because we don't want that root can become a domain user (as we use sssd with ad integration).
This works well with the su program, but fails with runuser.
We added the following in front of pam_rootok.so in the files /etc/pam.d/su and runuser:
auth required pam_localuser.so
As I have found out, this behaviour can easily be changed by applying the following patch:
diff -urN util-linux-2.31.1/login-utils/su-common.c util-linux-2.31.1/login-utils/su-common.c
--- util-linux-2.31.1/login-utils/su-common.c 2018-11-21 10:56:05.100179733 +0100
+++ util-linux-2.31.1/login-utils/su-common.c 2018-11-21 11:10:40.458312830 +0100
@@ -709,7 +709,6 @@
*/
if (su->restricted)
errx(EXIT_FAILURE, _("may not be used by non-root users"));
- return;
}
rc = pam_authenticate(su->pamh, 0);
And it works as expected:
# runuser domainuser
runuser: Permission denied
However, we would always need to recompile util-linux as new security
updates come out.
Could this please be applied to the Ubuntu repository and backported for bionic?
I will contact the util-linux maintainer separately in order to get this upstream.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1804417/+subscriptions
More information about the foundations-bugs
mailing list