Ubuntu
libpam-script package

Default pam configuration with 'sufficient' may lead to security issue

Bug #1931848 reported by Maxime Accadia
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libpam-script (Ubuntu)
New
Undecided
Unassigned

Bug Description

I have noticed that pam_script.so is set to 'sufficient' upon installation. This may lead the user to inadvertently authorize users with any password.

Example procedure :

```
apt install libpam-scrip
printf '#!/bin/sh\nexit 0' > /usr/share/libpam-script/pam_script_auth
chmod +x /usr/share/libpam-script/pam_script_auth
```

In this situation, any password is accepted to log in.

I think this is by design in order to use pam_script for authentication, but pam_script can also be used for other purposes (ex. logging). README.Debian correctly warn the user though :

/usr/share/doc/libpam-script/README.Debian
> Libpam-script comes with a config file which is installed in
> /usr/share/pam-configs/pam_script please verify that it doesn't introduce
> unwanted behavior by default.

As this package will be mostly used by system administrators, it may be acceptable to leave the configuration to 'sufficient' as it is.

---
Ubuntu 20.04.2 LTS

libpam-script:
  Installed: 1.1.9-4
  Candidate: 1.1.9-4
  Version table:
 *** 1.1.9-4 500
        500 http://fr.archive.ubuntu.com/ubuntu focal/universe amd64 Packages
        100 /var/lib/dpkg/status

Revision history for this message
Jan Pfeifer (pfjan) wrote :

Let me add that this package is also installed by common users, that is, non-system administrators.

And if simply installed it leaves the whole authentication spamming irrelevant errors in /var/log/auth.log:

...
pam_unix(cron:session): session closed for user root
pam-script[14236]: can not stat /usr/share/libpam-script/pam_script_acct
pam-script[14236]: can not stat /usr/share/libpam-script/pam_script_ses_open
...

The instructions in the README.debian are non-trivial (for common user unfamiliar with PAM). It can be easily misconfigured, as pointed out by the bug report.

I wanted to point out that it is also a hassle for the common user, that needs the package in some other simpler context, but in order to use it is forced to spend considerable time studying PAM and `libpam-script`.

Example of such simpler use case: ["Different PAM configurations for lockscreen vs login"](https://unix.stackexchange.com/questions/473810/gnome-different-pam-configurations-for-lockscreen-vs-login)

It seems a better and safer default would be not to install itself into any /etc/pam.d files.

For system admins it will be easy and probably desirable to manually (or with their own scripts) to change /etc/pam.d files as appropriate.

And for the common user if configurations are not changed there are no risks or hassle.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.