New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected #199
Conversation
Here's a sad story: * 7097145 is merged into shadow, allowing newgidmap/newuidmap to be installed with file caps rather than setuid. * https://bugs.archlinux.org/task/63248 is filed to take advantage of this. * The arch maintainer of the 'shadow' package notices that this doesn't work, and submits a pull request to fix this in shadow. * edf7547 is merged, fixing the post install hooks. The problem here is that distros have been building shadow with PAM for O(years), but the install hooks have silently failed due to the combination of the directory mismatch (suidubins vs suidsbins) and later success with setuid'ing newgidmap/newuidmap. With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far) who never built shadow explicitly with --enable-account-tools-setuid are now getting setuid account tools, and don't have PAM configuration suitable for use with setuid account management tools. It's entirely unclear to me why you'd want this, but I assume there's some reason out there for it existing. Regardless, setuid binaries are dangerous and shouldn't be enabled by default without good reason. [1] https://bugs.archlinux.org/task/64836 [2] https://bugs.gentoo.org/702252
|
So, my concern from the Gentoo bug is that this would actually disable PAM functionality entirely in the specified utilities. Is that the case, or is that a misunderstanding on their part? |
|
Yes, you're correct -- PAM functionality in the account management tools is dependent on |
The defaults for what programs contained in shadow have the setuid bit has changed in version 4.7, when using pam most of those tools don't need setuid bits so explicitly disable them. References: * shadow-maint/shadow#199 * https://bugs.archlinux.org/task/64836 * https://bugs.gentoo.org/702252
The defaults for what programs contained in shadow have the setuid bit has changed in version 4.7, when using pam most of those tools don't need setuid bits so explicitly disable them. References: * shadow-maint/shadow#199 * https://bugs.archlinux.org/task/64836 * https://bugs.gentoo.org/702252
|
This issue has been assigned CVE-2019-19882. |
What is this CVE filed against shadow? Who has been notified of this CVE? |
The defaults for what programs contained in shadow have the setuid bit has changed in version 4.7, when using pam most of those tools don't need setuid bits so explicitly disable them. References: * shadow-maint/shadow#199 * https://bugs.archlinux.org/task/64836 * https://bugs.gentoo.org/702252 void-linux/void-packages@e095c78
The defaults for what programs contained in shadow have the setuid bit has changed in version 4.7, when using pam most of those tools don't need setuid bits so explicitly disable them. References: * shadow-maint/shadow#199 * https://bugs.archlinux.org/task/64836 * https://bugs.gentoo.org/702252 void-linux/void-packages@e095c78
Backport patch from <shadow-maint/shadow#199 commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve CVE-2019-19882. Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport patch from <shadow-maint/shadow#199 commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve CVE-2019-19882. (From OE-Core rev: 20c0f454f337c2514b7bf6eacfe7119ea8278fb4) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport patch from <shadow-maint/shadow#199 commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve CVE-2019-19882. Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport patch from <shadow-maint/shadow#199 commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve CVE-2019-19882. (From OE-Core rev: a0de64cab692562d4bbd64f8bdcaa3fc6bc694bb) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Source: poky MR: 00000 Type: Integration Disposition: Merged from poky ChangeID: b0af33c Description: Backport patch from <shadow-maint/shadow#199 commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve CVE-2019-19882. (From OE-Core rev: a0de64cab692562d4bbd64f8bdcaa3fc6bc694bb) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
Backport patch from <shadow-maint/shadow#199 commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve CVE-2019-19882. Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Backport patch from <shadow-maint/shadow#199 commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve CVE-2019-19882. Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Here's a sad story:
installed with file caps rather than setuid.
this.
work, and submits a pull request to fix this in shadow.
The problem here is that distros have been building shadow with PAM for
O(years), but the install hooks have silently failed due to the
combination of the directory mismatch (suidubins vs suidsbins) and later
success with setuid'ing newgidmap/newuidmap.
With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far)
who never built shadow explicitly with --enable-account-tools-setuid are
now getting setuid account tools, and don't have PAM configuration
suitable for use with setuid account management tools.
It's entirely unclear to me why you'd want this, but I assume there's
some reason out there for it existing. Regardless, setuid binaries are
dangerous and shouldn't be enabled by default without good reason.
[1] https://bugs.archlinux.org/task/64836
[2] https://bugs.gentoo.org/702252