Public bug reported:
I have noticed that pam_script.so is set to 'sufficient' upon
installation. This may lead the user to inadvertently authorize users
with any password.
Example procedure :
```
apt install libpam-scrip
printf '#!/bin/sh\nexit 0' > /usr/share/libpam-script/pam_script_auth
chmod +x /usr/share/libpam-script/pam_script_auth
```
In this situation, any password is accepted to log in.
I think this is by design in order to use pam_script for authentication,
but pam_script can also be used for other purposes (ex. logging).
README.Debian correctly warn the user though :
/usr/share/doc/libpam-script/README.Debian
> Libpam-script comes with a config file which is installed in
> /usr/share/pam-configs/pam_script please verify that it doesn't introduce
> unwanted behavior by default.
As this package will be mostly used by system administrators, it may be
acceptable to leave the configuration to 'sufficient' as it is.
---
Ubuntu 20.04.2 LTS
libpam-script:
Installed: 1.1.9-4
Candidate: 1.1.9-4
Version table:
*** 1.1.9-4 500
500 http://fr.archive.ubuntu.com/ubuntu focal/universe amd64 Packages
100 /var/lib/dpkg/status
** Affects: libpam-script (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1931848
Title:
Default pam configuration with 'sufficient' may lead to security issue
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpam-script/+bug/1931848/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
