Default pam configuration with 'sufficient' may lead to security issue
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libpam-script (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I have noticed that pam_script.so is set to 'sufficient' upon installation. This may lead the user to inadvertently authorize users with any password.
Example procedure :
```
apt install libpam-scrip
printf '#!/bin/sh\nexit 0' > /usr/share/
chmod +x /usr/share/
```
In this situation, any password is accepted to log in.
I think this is by design in order to use pam_script for authentication, but pam_script can also be used for other purposes (ex. logging). README.Debian correctly warn the user though :
/usr/share/
> Libpam-script comes with a config file which is installed in
> /usr/share/
> unwanted behavior by default.
As this package will be mostly used by system administrators, it may be acceptable to leave the configuration to 'sufficient' as it is.
---
Ubuntu 20.04.2 LTS
libpam-script:
Installed: 1.1.9-4
Candidate: 1.1.9-4
Version table:
*** 1.1.9-4 500
500 http://
100 /var/lib/
Let me add that this package is also installed by common users, that is, non-system administrators.
And if simply installed it leaves the whole authentication spamming irrelevant errors in /var/log/auth.log:
... cron:session) : session closed for user root libpam- script/ pam_script_ acct libpam- script/ pam_script_ ses_open
pam_unix(
pam-script[14236]: can not stat /usr/share/
pam-script[14236]: can not stat /usr/share/
...
The instructions in the README.debian are non-trivial (for common user unfamiliar with PAM). It can be easily misconfigured, as pointed out by the bug report.
I wanted to point out that it is also a hassle for the common user, that needs the package in some other simpler context, but in order to use it is forced to spend considerable time studying PAM and `libpam-script`.
Example of such simpler use case: ["Different PAM configurations for lockscreen vs login"](https:/ /unix.stackexch ange.com/ questions/ 473810/ gnome-different -pam-configurat ions-for- lockscreen- vs-login)
It seems a better and safer default would be not to install itself into any /etc/pam.d files.
For system admins it will be easy and probably desirable to manually (or with their own scripts) to change /etc/pam.d files as appropriate.
And for the common user if configurations are not changed there are no risks or hassle.