Bug#641404: Authentication is only possible if process runs as root

Tue, 13 Sep 2011 01:27:19 -0700 

Package: libnss-mysql-bg
Version: 1.5-2

A user which is stored in a mysql database can only be authenticated
if the authentication process runs under root.

Therefore, the user can log in on the console (getty), network (sshd),
Gnome (gdm3), because there processes run as root. But he cannot unlock
his screensaver (gnome-screensaver) or a locked screen session (Ctrl-X
in running screen), because these processes do not run as root.

The reason is that libnss-mysql-bg is designed for systems where only
root is allowed to read shadow information, and /sbin/unix_chkpwd is
setuid root.

Under Debian, the policy is different: shadow information can be read
by processes running under the egid "shadow", and /sbin/unix_chkpwd
is setgid shadow, not setuid root.

In libnss-mysql-bg, two changes are needed to match Debian's policy:

1. The file /etc/libnss-mysql-root.cnf must be installed with
   permissions 640 root:shadow (currently 600 root:root).

2. Within the libnss-mysql-bg implementation, the security check
   must be extended to check not only for euid=root, but also for
   egid=shadow. See patch below.


----- cut here -----
--- libnss-mysql-bg-1.5/src/lookup.c.orig       2011-09-13 09:28:30.000000000 
+0200
+++ libnss-mysql-bg-1.5/src/lookup.c    2011-09-13 09:47:16.000000000 +0200
@@ -21,6 +21,8 @@
 #include "nss_mysql.h"
 #include <stdio.h>      /* snprintf () */
 #include <string.h>     /* strcpy () */
+#include <sys/types.h>
+#include <grp.h>

 extern conf_t conf;

@@ -131,12 +133,22 @@
   int attempts = MAX_QUERY_ATTEMPTS;    /* Attempt # (countdown) */
   static uid_t euid = -1;               /* Last known euid for change detect */
   uid_t cur_euid;                       /* CURRENT euid */
+  gid_t cur_egid;                      /* CURRENT egid */
+  gid_t shadow_gid;                    /* gid for group shadow (usually 42 on 
Debian) */

   DENTER

   cur_euid = geteuid ();
+
+  /* Get shadow gid, if needed */
+  if(cur_euid != 0) {
+    cur_egid = getegid ();
+    struct group *grp = getgrnam("shadow");
+    shadow_gid = (grp ? grp->gr_gid : -1);
+  }
+
   D ("%s: restricted = %d, cur_euid = %u", FUNCNAME, restricted, cur_euid);
-  if (restricted == ntrue && cur_euid != 0)
+  if (restricted == ntrue && cur_euid != 0 && (shadow_gid == -1 || cur_egid != 
shadow_gid))
     DSRETURN (NSS_NOTFOUND)

    /* Make sure euid hasn't changed, thus changing our access abilities */
----- cut here -----



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to