Package: lightdm
Version: 1.10.3-3
Severity: normal
Dear Maintainer,
We have an environment that uses pam_ldap to authenticate most of our
users.
Due to some nuances of the core (open)LDAP schema, the uid attribute
will return success on "equality" matches even if the requested query
includes spaces or mixed case. See Also:
http://www.openldap.org/lists/openldap-software/200204/msg00337.html
So, if you attempt to login as " Bkroth" instead of "bkroth", the LDAP
server will respond successfully.
Unfortunately, pam_ldap (probably reasonably) just takes that to mean
that the provided username is valid and passes it through (it did ask
for an equality match after all). A better thing to do at that stage
would probably be to hand back the value in the uid attribute that the
LDAP server responded with, but I'll leave that for a separate pam_ldap
bug report. Somewhat related:
https://forums.opensuse.org/showthread.php/445925-pam_ldap-username-case-sensitivity-on-OpenSuSE-11-2
The trouble is that lightdm, takes the user provided value and
1) assigns it to the USER and LOGNAME environment variables, and
2) uses it to try and initgroups(), which then fails (group memberships
in LDAP are usually done with fully qualified DNs which don't do the
loose equality matching described above).
The combination of incorrect USER environment variables and missing
supplementary groups causes lots of other problems.
Note that programs like su, login, ssh, etc. don't exhibit this behavior
since they turn around and perform a lookup of the "true" username
against the NSS database again when populating the environment
variables. Here's a few examples:
https://github.com/shadow-maint/shadow/blob/master/src/su.c#L928
https://github.com/openssh/openssh-portable/blob/V_6_7/session.c#L1179
The attached patch essentially just adjusts lightdm's behavior to
perform the same sort of NSS lookup to get the true username.
I also have a dumbed down sample test program to illustrate the issue
outside of lightdm in case it helps.
Let me know if you have any questions or comments.
Thanks,
Brian
-- System Information:
Debian Release: 8.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)
Versions of packages lightdm depends on:
ii adduser 3.113+nmu3
ii dbus 1.8.20-0+deb8u1
ii debconf [debconf-2.0] 1.5.56
ii libc6 2.19-18+deb8u6
ii libgcrypt20 1.6.3-2+deb8u2
ii libglib2.0-0 2.42.1-1+b1
ii libpam-systemd 215-17+deb8u5
ii libpam0g 1.1.8-3.1+deb8u1+b1
ii libxcb1 1.10-3+b1
ii libxdmcp6 1:1.1.1-1+b1
ii lightdm-gtk-greeter [lightdm-greeter] 1.8.5-2
Versions of packages lightdm recommends:
ii xserver-xorg 1:7.7+7
Versions of packages lightdm suggests:
ii accountsservice 0.6.37-3+b1
ii upower 0.99.1-3.2
-- Configuration Files:
/etc/lightdm/lightdm.conf changed [not included]
-- debconf information excluded
diff -u -ruN orig/lightdm-1.10.3/debian/changelog patched/lightdm-1.10.3/debian/changelog
--- orig/lightdm-1.10.3/debian/changelog 2014-11-04 14:58:17.000000000 -0600
+++ patched/lightdm-1.10.3/debian/changelog 2016-10-26 14:53:31.191071134 -0500
@@ -1,3 +1,10 @@
+lightdm (1.10.3-3.1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * With a patch to normalize the username returned by PAM via an NSS lookup.
+
+ -- Brian Kroth <bpkr...@gmail.com> Wed, 26 Oct 2016 13:40:56 -0500
+
lightdm (1.10.3-3) unstable; urgency=medium
* debian/patches:
diff -u -ruN orig/lightdm-1.10.3/debian/patches/normalize_username.patch patched/lightdm-1.10.3/debian/patches/normalize_username.patch
--- orig/lightdm-1.10.3/debian/patches/normalize_username.patch 1969-12-31 18:00:00.000000000 -0600
+++ patched/lightdm-1.10.3/debian/patches/normalize_username.patch 2016-10-26 15:15:16.560403085 -0500
@@ -0,0 +1,52 @@
+Description: normalize the provided username by performing an nss lookup
+ Some passwd/shadow NSS database providers (eg: LDAP) may accept a username
+ with mixed case and/or spaces in it when performing lookups. For instance,
+ " Bkroth" instead of "bkroth". In such environments, we should use the actual
+ value returned by the NSS database lookup, when performing operations like
+ initgroups and pam_putenv. NOTE: Ultimately, this is really working around a
+ bug in the core LDAP schema's uid attribute which accepts case insensitive and
+ substring matches and pam_ldap(d) which simply pass the provided string along
+ with the "equality" match succeeds.
+ See Also:
+ http://www.openldap.org/lists/openldap-software/200204/msg00337.html
+ https://forums.opensuse.org/showthread.php/445925-pam_ldap-username-case-sensitivity-on-OpenSuSE-11-2
+ This workaround is basically what su, ssh, login, etc. already do.
+ See Also:
+ https://github.com/shadow-maint/shadow/blob/master/src/su.c#L928
+ https://github.com/openssh/openssh-portable/blob/V_6_7/session.c#L1179
+ .
+ lightdm (1.10.3-3) unstable; urgency=medium
+ .
+ * debian/patches:
+ - 06_change-user-dirs edited, don't use /var/lib/lightdm directly (it
+ seems to confuse lightdm and break .dmrc saving) but use
+ /var/lib/lightdm/data and create it at runtime. closes: #767359
+Author: Yves-Alexis Perez <cor...@debian.org>
+Bug-Debian: https://bugs.debian.org/767359
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: https://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- lightdm-1.10.3.orig/src/session-child.c
++++ lightdm-1.10.3/src/session-child.c
+@@ -414,6 +414,10 @@ session_child_run (int argc, char **argv
+ pam_putenv (pam_handle, "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
+ else
+ pam_putenv (pam_handle, "PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games");
++ /* Normalize the username from what was provided as the input by doing a lookup against the local naming service database(s) */
++ const gchar *new_username = user_get_name(user);
++ g_free (username);
++ username = g_strdup (new_username);
+ pam_putenv (pam_handle, g_strdup_printf ("USER=%s", username));
+ pam_putenv (pam_handle, g_strdup_printf ("LOGNAME=%s", username));
+ pam_putenv (pam_handle, g_strdup_printf ("HOME=%s", user_get_home_directory (user)));
diff -u -ruN orig/lightdm-1.10.3/debian/patches/series patched/lightdm-1.10.3/debian/patches/series
--- orig/lightdm-1.10.3/debian/patches/series 2014-10-24 07:25:50.000000000 -0500
+++ patched/lightdm-1.10.3/debian/patches/series 2016-10-26 14:53:18.806944540 -0500
@@ -3,3 +3,4 @@
03_use-desktopnames-properties.patch
05_debianize-pam-files.patch
06_change-user-dirs.patch
+normalize_username.patch
