Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't auto-enable ACCT_TOOLS_SETUID if PAM is detected #199

Merged
merged 1 commit into from Dec 20, 2019

Conversation

falconindy
Copy link
Contributor

Here's a sad story:

  • 7097145 is merged into shadow, allowing newgidmap/newuidmap to be
    installed with file caps rather than setuid.
  • https://bugs.archlinux.org/task/63248 is filed to take advantage of
    this.
  • The arch maintainer of the 'shadow' package notices that this doesn't
    work, and submits a pull request to fix this in shadow.
  • edf7547 is merged, fixing the post install hooks.

The problem here is that distros have been building shadow with PAM for
O(years), but the install hooks have silently failed due to the
combination of the directory mismatch (suidubins vs suidsbins) and later
success with setuid'ing newgidmap/newuidmap.

With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far)
who never built shadow explicitly with --enable-account-tools-setuid are
now getting setuid account tools, and don't have PAM configuration
suitable for use with setuid account management tools.

It's entirely unclear to me why you'd want this, but I assume there's
some reason out there for it existing. Regardless, setuid binaries are
dangerous and shouldn't be enabled by default without good reason.

[1] https://bugs.archlinux.org/task/64836
[2] https://bugs.gentoo.org/702252

Here's a sad story:

* 7097145 is merged into shadow, allowing newgidmap/newuidmap to be
installed with file caps rather than setuid.
* https://bugs.archlinux.org/task/63248 is filed to take advantage of
this.
* The arch maintainer of the 'shadow' package notices that this doesn't
work, and submits a pull request to fix this in shadow.
* edf7547 is merged, fixing the post install hooks.

The problem here is that distros have been building shadow with PAM for
O(years), but the install hooks have silently failed due to the
combination of the directory mismatch (suidubins vs suidsbins) and later
success with setuid'ing newgidmap/newuidmap.

With the install hooks fixed, those of us (Arch[1] and Gentoo[2] so far)
who never built shadow explicitly with --enable-account-tools-setuid are
now getting setuid account tools, and don't have PAM configuration
suitable for use with setuid account management tools.

It's entirely unclear to me why you'd want this, but I assume there's
some reason out there for it existing. Regardless, setuid binaries are
dangerous and shouldn't be enabled by default without good reason.

[1] https://bugs.archlinux.org/task/64836
[2] https://bugs.gentoo.org/702252
@awilfox
Copy link
Contributor

awilfox commented Dec 16, 2019

So, my concern from the Gentoo bug is that this would actually disable PAM functionality entirely in the specified utilities. Is that the case, or is that a misunderstanding on their part?

@falconindy
Copy link
Contributor Author

Yes, you're correct -- PAM functionality in the account management tools is dependent on --with-libpam and --enable-account-tools-setuid. However, without the tools being setuid, the PAM linkage doesn't really matter, right? What's the value in prompting for authentication if you aren't also escalating privileges?

Duncaen added a commit to Duncaen/void-packages that referenced this pull request Dec 17, 2019
The defaults for what programs contained in shadow have the setuid bit
has changed in version 4.7, when using pam most of those tools don't
need setuid bits so explicitly disable them.

References:
* shadow-maint/shadow#199
* https://bugs.archlinux.org/task/64836
* https://bugs.gentoo.org/702252
Duncaen added a commit to void-linux/void-packages that referenced this pull request Dec 18, 2019
The defaults for what programs contained in shadow have the setuid bit
has changed in version 4.7, when using pam most of those tools don't
need setuid bits so explicitly disable them.

References:
* shadow-maint/shadow#199
* https://bugs.archlinux.org/task/64836
* https://bugs.gentoo.org/702252
@Foxboron
Copy link

Foxboron commented Dec 18, 2019

This issue has been assigned CVE-2019-19882.

@brauner
Copy link
Collaborator

brauner commented Dec 18, 2019

This issue has been assigned CVE-2019-19882.

What is this CVE filed against shadow? Who has been notified of this CVE?

@hallyn hallyn merged commit 1ec36ea into shadow-maint:master Dec 20, 2019
atweiden pushed a commit to atweiden/voidpkgs that referenced this pull request Dec 21, 2019
The defaults for what programs contained in shadow have the setuid bit
has changed in version 4.7, when using pam most of those tools don't
need setuid bits so explicitly disable them.

References:
* shadow-maint/shadow#199
* https://bugs.archlinux.org/task/64836
* https://bugs.gentoo.org/702252

void-linux/void-packages@e095c78
atweiden pushed a commit to atweiden/voidpkgs that referenced this pull request Dec 21, 2019
The defaults for what programs contained in shadow have the setuid bit
has changed in version 4.7, when using pam most of those tools don't
need setuid bits so explicitly disable them.

References:
* shadow-maint/shadow#199
* https://bugs.archlinux.org/task/64836
* https://bugs.gentoo.org/702252

void-linux/void-packages@e095c78
halstead pushed a commit to openembedded/openembedded-core that referenced this pull request Jan 3, 2020
Backport patch from <shadow-maint/shadow#199
commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve
CVE-2019-19882.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
gbionescu pushed a commit to gbionescu/poky that referenced this pull request Jan 3, 2020
Backport patch from <shadow-maint/shadow#199
commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve
CVE-2019-19882.

(From OE-Core rev: 20c0f454f337c2514b7bf6eacfe7119ea8278fb4)

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
halstead pushed a commit to openembedded/openembedded-core that referenced this pull request Jan 3, 2020
Backport patch from <shadow-maint/shadow#199
commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve
CVE-2019-19882.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
gbionescu pushed a commit to gbionescu/poky that referenced this pull request Jan 3, 2020
Backport patch from <shadow-maint/shadow#199
commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve
CVE-2019-19882.

(From OE-Core rev: a0de64cab692562d4bbd64f8bdcaa3fc6bc694bb)

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jpuhlman pushed a commit to MontaVista-OpenSourceTechnology/poky that referenced this pull request Jan 6, 2020
Source: poky
MR: 00000
Type: Integration
Disposition: Merged from poky
ChangeID: b0af33c
Description:

Backport patch from <shadow-maint/shadow#199
commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve
CVE-2019-19882.

(From OE-Core rev: a0de64cab692562d4bbd64f8bdcaa3fc6bc694bb)

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Jeremy Puhlman <jpuhlman@mvista.com>
jhershbe pushed a commit to jhershbe/openembedded-core that referenced this pull request Sep 8, 2022
Backport patch from <shadow-maint/shadow#199
commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve
CVE-2019-19882.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
jhershbe pushed a commit to jhershbe/openembedded-core that referenced this pull request Sep 23, 2022
Backport patch from <shadow-maint/shadow#199
commits/66b7bc0dcfda12d7f58eba993bd02872cae1d713> to solve
CVE-2019-19882.

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

5 participants