Control: reassign -1 libkscreenlocker5

Hello,

On Sat, Nov 24, 2018 at 04:48:31PM +0100, hg42 wrote:
> I ran into that quite a while ago, but wasn't using a screen locker or KDE
> since, so I forgot about it. Now, with KDE and mostly hibernating my system,
> it came back.

> unix_chkpwd is installed SGID (2755) in all currently available
> libpam-modules-bin versions:
> 1.1.8-3.2ubuntu2
> 1.1.8-3.2ubuntu2.1
> 1.1.8-3.2ubuntu3
> 1.1.8-3.2ubuntu3.1
> 1.1.8-3.6
> 1.1.8-3.6ubuntu2
> 1.1.8-3.8

> With these permissions correct passwords fail in newer KDE screen locker
> versions. I tested libkscreenlocker5 versions:
> 5.13.5-1
> 5.8.6-2
> 5.12.6-0ubuntu0.1
> 5.12.4-0ubuntu1

> for a recent occurance of the issue see here:
> https://www.reddit.com/r/kde/comments/8w7uqq/screen_wont_unlock/e1wbilp/?context=8&depth=9

That is not a bug in the Debian PAM package.  That shows a user whose
unix_chkpwd binary has completely wrong permissions which do not match what
we ship.

> I found a discussion about SUID vs. SGID for unix_chkpwd here:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=155583

> Note, I am not an expert in security related things, but the reasoning in
> the discussion doesn't look logical, so I'll try to explain my view as a
> user.

> There probably was a reason why it was SUID before. Obviously nobody is
> talking about that decision.

> The discussion about switching to SGID seems to be about explicit packages
> that fail and solutions for them.

> But as I understand this, it doesn't say, there cannot be or can never be
> other packages that need unix_chkpwd to be SUID. May be, this is totally
> obvious to you and it doesn't need to be discussed. But at least the KDE
> screen locker is an example.
> Also, bashing NIS doesn't help, especially if there could be other software.

There is nothing about a KDE screenlocker that requires unix_chkpwd to be
setuid root instead of setgid shadow.  The helper only needs to have
permission to read /etc/shadow, which is by default readable by group
shadow.  If this is not working for you, then it's not because shipping
unix_chkpwd as setgid shadow is wrong.

Equating NIS with a screenlocker is erroneous.  NIS is an authentication
backend technology with an archaic security design and specific client
requirements.  A screenlocker is only a consumer of PAM.


> So, one question is, why is SGID better than SUID?

The principle of least privilege.

> is it worth breaking packages if you don't know, why SUID was part of the
> design?

Just because you do not know does not mean that we do not.

Moreover, the PAM package has been shipped this way in Debian for over a
decade.  Thousands or millions of users have successfully used KDE's screen
locker with PAM in this configuration.  You are the only user reporting such
a problem.  Clearly, something is misconfigured on your system compared to
that of all the other users.

> The other question is, why does another package need unix_chkpwd SUID?  is
> it insecure or otherwise bad code in some way?

> That said, the problem could also be in the code of the screen locker.

It could; so let's reassign this bug to the KDE package, whose maintainers
may have more insight into specific configurations that may cause this
screenlocker to fail.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
[email protected]                                     [email protected]

Attachment: signature.asc
Description: PGP signature

Reply via email to