Package: libpam-modules-bin
Version: 1.1.8-3.8
Severity: important
--- Please enter the report below this line. ---
I ran into that quite a while ago, but wasn't using a screen locker or KDE
since, so I forgot about it. Now, with KDE and mostly hibernating my system, it
came back.
unix_chkpwd is installed SGID (2755) in all currently available
libpam-modules-bin versions:
1.1.8-3.2ubuntu2
1.1.8-3.2ubuntu2.1
1.1.8-3.2ubuntu3
1.1.8-3.2ubuntu3.1
1.1.8-3.6
1.1.8-3.6ubuntu2
1.1.8-3.8
With these permissions correct passwords fail in newer KDE screen locker
versions. I tested libkscreenlocker5 versions:
5.13.5-1
5.8.6-2
5.12.6-0ubuntu0.1
5.12.4-0ubuntu1
for a recent occurance of the issue see here:
https://www.reddit.com/r/kde/comments/8w7uqq/screen_wont_unlock/e1wbilp/?context=8&depth=9
I found a discussion about SUID vs. SGID for unix_chkpwd here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=155583
Note, I am not an expert in security related things, but the reasoning in the
discussion doesn't look logical, so I'll try to explain my view as a user.
There probably was a reason why it was SUID before. Obviously nobody is talking
about that decision.
The discussion about switching to SGID seems to be about explicit packages that
fail and solutions for them.
But as I understand this, it doesn't say, there cannot be or can never be other
packages that need unix_chkpwd to be SUID. May be, this is totally obvious to
you and it doesn't need to be discussed. But at least the KDE screen locker is
an example.
Also, bashing NIS doesn't help, especially if there could be other software.
So, one question is, why is SGID better than SUID? is it worth breaking packages
if you don't know, why SUID was part of the design?
The other question is, why does another package need unix_chkpwd SUID? is it
insecure or otherwise bad code in some way?
That said, the problem could also be in the code of the screen locker.
--- System information. ---
Architecture: Kernel: Linux 4.18.0-2-amd64
Debian Release: buster/sid
990 stable security.debian.org 900 xenial-security
archive.ubuntu.com 900 testing debian.netcologne.de 900 stable
kxstudio.linuxaudio.org 900 stable dl.google.com 900 stable
debian.netcologne.de 900 bionic-security archive.ubuntu.com 900
artful-security archive.ubuntu.com 500 xenial ppa.launchpad.net 500
wily ppa.launchpad.net 500 trusty ppa.launchpad.net 500
lucid ppa.launchpad.net 500 gcc5 kxstudio.linuxaudio.org
500 bionic ppa.launchpad.net 500 artful ppa.launchpad.net
100 xenial-updates archive.ubuntu.com 100 xenial-backports
archive.ubuntu.com 100 xenial archive.ubuntu.com 100 unstable
packages.siduction.org 100 unstable debian.netcologne.de 100
experimental debian.netcologne.de 100 bionic-updates archive.ubuntu.com
100 bionic-backports archive.ubuntu.com 100 bionic archive.ubuntu.com
100 artful-updates archive.ubuntu.com 100 artful-backports
archive.ubuntu.com 100 artful archive.ubuntu.com
--- Package information. ---
Depends (Version) | Installed
=============================-+-==============
libaudit1 (>= 1:2.2.1) | 1:2.8.4-2
libc6 (>= 2.14) | libpam0g (>= 0.99.7.1) | libselinux1
(>= 1.32) |
Package's Recommends field is empty.
Package's Suggests field is empty.
