fprintd allows unauthorized root access
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
fprintd |
Invalid
|
Medium
|
|||
fprintd (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Groovy |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
For some reason, fprintd-enroll does not require any special authorization to run.
This means that anyone coming across or stealing a machine with it installed and which is currently logged in and for which fingerprints are enabled for sudo authentication can elevate their access to superuser by simply running fprintd-enroll and scanning their own fingers. A subsequent sudo command will then give the new user access.
Even if sudo access is not granted through fingerprints, a thief could get continued access to someone's account (for subsequent logging in) if they can enroll new fingerprints without re-authenticating as the original user.
This seems a security threat.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: fprintd 0.6.0-1
ProcVersionSign
Uname: Linux 4.2.0-23-generic x86_64
ApportVersion: 2.19.1-0ubuntu5
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Jan 8 11:35:02 2016
EcryptfsInUse: Yes
InstallationDate: Installed on 2015-12-18 (21 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Release amd64 (20151021)
SourcePackage: fprintd
UpgradeStatus: No upgrade log present (probably fresh install)
information type: | Private Security → Public Security |
Changed in fprintd (Ubuntu): | |
status: | New → Confirmed |
Changed in fprintd (Ubuntu): | |
importance: | Undecided → High |
Changed in fprintd: | |
importance: | Unknown → Medium |
status: | Unknown → Invalid |
Changed in fprintd (Ubuntu): | |
assignee: | Marco Trevisan (Treviño) (3v1n0) → nobody |
Changed in fprintd (Ubuntu): | |
status: | Confirmed → Fix Released |
Changed in fprintd (Ubuntu): | |
status: | Fix Released → In Progress |
I don't see any PAM modules in the fprintd package when I installed it into a test VM. This issue may be in whatever PAM module package uses fprintd rather than the fprintd package itself. Which PAM module did you install to get this behaviour?
Thanks