Bug#580037: libpam-ccreds: Should not cache the root password

Thu, 13 May 2010 03:54:18 -0700 

Hi Petter,
On Mon, May 03, 2010 at 11:57:05AM +0200, Petter Reinholdtsen wrote:
> 
> Package: libpam-ccreds
> Version: 10-2
> 
> With LDAP + ccreds set up on a laptop, I just discovered that cc_dump
> report that the root password is also cached.  I believe this is a
> waste (and a minor security issue), as the root password already is
> stored in /etc/shadow.
> 
> Can libpam-ccreds be changed to not store the password for root, or
> perhaps support an argument minimum_uid (like libpam-heimdal does), to
> allow us to limit ccreds to uids >= 1000.
Attached patches (based on what libpam-krb5 does) add a minimum_uid
option. That should indeed solve the issue I've had with enabling
pam-auth-update by default. Could you spin a test in your environment?
 -- Guido

>From f1fec960ef09e6931aeb9c206a4fbbbc4be03709 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <a...@sigxcpu.org>
Date: Thu, 13 May 2010 12:36:26 +0200
Subject: [PATCH 1/2] add minimum_uid option

---
 cc_pam.c |   39 +++++++++++++++++++++++++++++++++++++++
 1 files changed, 39 insertions(+), 0 deletions(-)

diff --git a/cc_pam.c b/cc_pam.c
index d096117..56776aa 100644
--- a/cc_pam.c
+++ b/cc_pam.c
@@ -20,6 +20,7 @@
 #include <errno.h>
 #include <limits.h>
 #include <syslog.h>
+#include <pwd.h>
 
 #include "cc_private.h"
 
@@ -45,6 +46,30 @@ PAM_EXTERN int pam_sm_acct_mgmt(pam_handle_t *pamh,
 				int flags, int argc, const char **argv);
 #endif
 
+
+/*
+ * Given the PAM arguments and the user we're authenticating, see if we should
+ * ignore that user because they're root or have a low-numbered UID and we
+ * were configured to ignore such users.  Returns true if we should ignore
+ * them, false otherwise.
+ */
+static int
+_pamcc_should_ignore(const char *username, int minimum_uid)
+{
+	struct passwd *pwd;
+
+	if (minimum_uid > 0) {
+		pwd = getpwnam(username);
+		if (pwd != NULL && pwd->pw_uid < (unsigned long) minimum_uid) {
+			syslog(LOG_DEBUG, "ignoring low-UID user (%lu < %d)",
+				(unsigned long) pwd->pw_uid, minimum_uid);
+			return 1;
+		}
+	}
+	return 0;
+}
+
+
 static int _pam_sm_interact(pam_handle_t *pamh,
 			    int flags,
 			    const char **authtok)
@@ -291,7 +316,9 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
 	unsigned int sm_flags = 0, sm_action = 0;
 	const char *ccredsfile = NULL;
 	const char *action = NULL;
+	const char *name = NULL;
 	int (*selector)(pam_handle_t *, int, unsigned int, const char *);
+	int minimum_uid = 0;
 
 	for (i = 0; i < argc; i++) {
 		if (strcmp(argv[i], "use_first_pass") == 0)
@@ -300,6 +327,8 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
 			sm_flags |= SM_FLAGS_TRY_FIRST_PASS;
 		else if (strcmp(argv[i], "service_specific") == 0)
 			sm_flags |= SM_FLAGS_SERVICE_SPECIFIC;
+		else if (strncmp(argv[i], "minimum_uid=", sizeof("minimum_uid=") - 1) == 0)
+			minimum_uid = atoi(argv[i] + sizeof("minimum_uid=") - 1);
 		else if (strncmp(argv[i], "ccredsfile=", sizeof("ccredsfile=") - 1) == 0)
 			ccredsfile = argv[i] + sizeof("ccredsfile=") - 1;
 		else if (strncmp(argv[i], "action=", sizeof("action=") - 1) == 0)
@@ -321,6 +350,16 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,
 		syslog(LOG_ERR, "pam_ccreds: invalid action \"%s\"", action);
 	}
 
+	rc = pam_get_user(pamh, &name, NULL);
+	if (rc != PAM_SUCCESS || name == NULL) {
+		if (rc == PAM_CONV_AGAIN)
+			return PAM_INCOMPLETE;
+		else
+			return PAM_SERVICE_ERR;
+	}
+	if (_pamcc_should_ignore(name, minimum_uid))
+		return PAM_USER_UNKNOWN;
+
 	switch (sm_action) {
 	case SM_ACTION_VALIDATE_CCREDS:
 		selector = _pam_sm_validate_cached_credentials;
-- 
1.7.1


>From 2907fd963ae0b97dab0dee1f66478d9b27b23173 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <a...@sigxcpu.org>
Date: Thu, 13 May 2010 12:40:54 +0200
Subject: [PATCH 2/2] Use minimum_uid argument within pam-auth-update

---
 debian/libpam-ccreds.pam-auth-update.ccreds-check |    4 ++--
 debian/libpam-ccreds.pam-auth-update.ccreds-save  |    2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/debian/libpam-ccreds.pam-auth-update.ccreds-check b/debian/libpam-ccreds.pam-auth-update.ccreds-check
index 0e931f4..6d0b93e 100644
--- a/debian/libpam-ccreds.pam-auth-update.ccreds-check
+++ b/debian/libpam-ccreds.pam-auth-update.ccreds-check
@@ -3,5 +3,5 @@ Default: yes
 Priority: 0
 Auth-Type: Primary
 Auth:
-	[success=end default=ignore]	pam_ccreds.so action=validate use_first_pass
-	[default=ignore]		pam_ccreds.so action=update
+	[success=end default=ignore]	pam_ccreds.so minimum_uid=1000 action=validate use_first_pass
+	[default=ignore]		pam_ccreds.so minimum_uid=1000 action=update
diff --git a/debian/libpam-ccreds.pam-auth-update.ccreds-save b/debian/libpam-ccreds.pam-auth-update.ccreds-save
index 53d8c0b..d0c22ee 100644
--- a/debian/libpam-ccreds.pam-auth-update.ccreds-save
+++ b/debian/libpam-ccreds.pam-auth-update.ccreds-save
@@ -3,4 +3,4 @@ Default: yes
 Priority: 512
 Auth-Type: Additional
 Auth:
-	optional			pam_ccreds.so action=store
+	optional			pam_ccreds.so minimum_uid=1000 action=store
-- 
1.7.1

Reply via email to