Ubuntu
util-linux package

runuser doesn't authenticate PAM modules

Bug #1804417 reported by Tobias Karnat
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
util-linux (Ubuntu)
New
Undecided
Unassigned

Bug Description

We use the pam_localuser.so PAM module to authenticate only local users for root to become.
Because we don't want that root can become a domain user (as we use sssd with ad integration).

This works well with the su program, but fails with runuser.
We added the following in front of pam_rootok.so in the files /etc/pam.d/su and runuser:
auth required pam_localuser.so

As I have found out, this behaviour can easily be changed by applying the following patch:
diff -urN util-linux-2.31.1/login-utils/su-common.c util-linux-2.31.1/login-utils/su-common.c
--- util-linux-2.31.1/login-utils/su-common.c 2018-11-21 10:56:05.100179733 +0100
+++ util-linux-2.31.1/login-utils/su-common.c 2018-11-21 11:10:40.458312830 +0100
@@ -709,7 +709,6 @@
                 */
                if (su->restricted)
                        errx(EXIT_FAILURE, _("may not be used by non-root users"));
- return;
        }

        rc = pam_authenticate(su->pamh, 0);

And it works as expected:
# runuser domainuser
runuser: Permission denied

However, we would always need to recompile util-linux as new security updates come out.

Could this please be applied to the Ubuntu repository and backported for bionic?
I will contact the util-linux maintainer separately in order to get this upstream.

Tags: patch
Revision history for this message
Tobias Karnat (tobiaskarnat-remondis) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "util-linux_2.31.1_runuser_pam.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Revision history for this message
Tobias Karnat (tobiaskarnat-remondis) wrote :

As a workaround we now use the following configuration as the maintainer suggested to us:

# cat /etc/pam.d/runuser
#%PAM-1.0
auth sufficient pam_rootok.so
session required pam_localuser.so

Which works as well:
# runuser domainuser
runuser: cannot open session: Permission denied

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.