|Main Archive Page > Month Archives > oss-security archives|
On Mon, Sep 27, 2010 at 11:36:13AM -0600, Vincent Danen wrote:
> * [2010-09-24 20:48:23 +0400] Solar Designer wrote:
> >pam_env and pam_mail accessing the target user's files as root (and thus
> >susceptible to attacks by the user) in Linux-PAM below 1.1.2, partially
> >fixed in 1.1.2 - no CVE ID mentioned yet
> >pam_env and pam_mail in Linux-PAM 1.1.2 not switching fsgid (or egid)
> >and groups when accessing the target user's files (and thus potentially
> >susceptible to attacks by the user) - CVE-2010-3430
> >pam_env and pam_mail in Linux-PAM 1.1.2 not checking whether the
> >setfsuid() calls succeed (no known impact with current Linux kernels,
> >but poor practice in general) - CVE-2010-3431
> These that are partially fixed are fixed in that git commit you noted
> Or are they fixed in different commits? It looks like they should all
> be fixed in that commit, but I want to double-check.
No, they are not fully fixed at all. We're working on a patch (so you
don't need to). The commit has the mentioned partial fixes only.
> Are there patches available to fully fix these issues? And are there
> patches for 3430 and 3431 yet?
This is the same question asked different ways. We have a patch that
we're reviewing internally. To be made available soon.
> I'm assuming also that those issues have
> always existed although you say 'in 1.1.2', but they would affect
> earlier versions yet, right?
The original pam_env and pam_mail issues, yes. The partial fixes, no,
because there were no fixes at all before 1.1.2.
> Thanks for any clarification. I'm trying to wrap my head around this
> and the impact of these issues. They all strike me as relatively minor
> issues, but it is possible that I am missing or misunderstanding
> something here.
They're relatively minor because these modules are normally not used.
However, if the modules are used in a PAM stack on a given install, then
the original issues reported against pam_env and pam_mail by Sebastian
become major ones.
Additionally, as mentioned by Sebastian, pam_env's intended behavior is
a security risk (user-provided env vars may affect some services in ways
not expected by the sysadmin). I am not sure how to deal with that.
Maybe improve the documentation.