oss-security September 2010 archive
Main Archive Page > Month Archives  > oss-security archives
oss-security: Re: [oss-security] Minor security flaw with pam_xa

Re: [oss-security] Minor security flaw with pam_xauth

From: Solar Designer <solar_at_nospam>
Date: Mon Sep 27 2010 - 20:17:29 GMT
To: oss-security@lists.openwall.com

On Mon, Sep 27, 2010 at 11:36:13AM -0600, Vincent Danen wrote:
> * [2010-09-24 20:48:23 +0400] Solar Designer wrote:
> >pam_env and pam_mail accessing the target user's files as root (and thus
> >susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially
> >fixed in 1.1.2 - no CVE ID mentioned yet
> >
> >pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid)
> >and groups when accessing the target user's files (and thus potentially
> >susceptible to attacks by the user) - CVE-2010-3430
> >
> >pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the
> >setfsuid() calls succeed (no known impact with current Linux kernels,
> >but poor practice in general) - CVE-2010-3431
> These that are partially fixed are fixed in that git commit you noted
> previously?
> http://git.altlinux.org/people/ldv/packages/?p=pam.git;a=commitdiff;h=06f882f30092a39a1db867c9744b2ca8d60e4ad6
> Or are they fixed in different commits? It looks like they should all
> be fixed in that commit, but I want to double-check.

No, they are not fully fixed at all. We're working on a patch (so you
don't need to). The commit has the mentioned partial fixes only.

> Are there patches available to fully fix these issues? And are there
> patches for 3430 and 3431 yet?

This is the same question asked different ways. We have a patch that
we're reviewing internally. To be made available soon.

> I'm assuming also that those issues have
> always existed although you say 'in 1.1.2', but they would affect
> earlier versions yet, right?

The original pam_env and pam_mail issues, yes. The partial fixes, no,
because there were no fixes at all before 1.1.2.

> Thanks for any clarification. I'm trying to wrap my head around this
> and the impact of these issues. They all strike me as relatively minor
> issues, but it is possible that I am missing or misunderstanding
> something here.

They're relatively minor because these modules are normally not used.
However, if the modules are used in a PAM stack on a given install, then
the original issues reported against pam_env and pam_mail by Sebastian
become major ones.

Additionally, as mentioned by Sebastian, pam_env's intended behavior is
a security risk (user-provided env vars may affect some services in ways
not expected by the sysadmin). I am not sure how to deal with that.
Maybe improve the documentation.