pam_tty_audit failed in pam_open_session

Bug #1666203 reported by Toru Ikezoe on 2017-02-20
46
This bug affects 8 people
Affects Status Importance Assigned to Milestone
pam (Debian)
Fix Released
Unknown
pam (Ubuntu)
Medium
Don van der Haghen
Xenial
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

Dear Maintainer.

I found a bug in pam_tty_audit.
When Using the pam_tty_audit with other pam modules(ex, pam_ldap), it failed in pam_open_session.
It was triggared by use uninitialized variable in pam_tty_audit.c::pam_open_session.

* Enviroments
Ubuntu 14.04.4 LTS
linux-image-3.16.0-71-generic 3.16.0-71.92~14.04.1
libpam-ldap:amd64 184-8.5ubuntu3
libpam-modules:amd64 1.1.8-1ubuntu2.2

Ubuntu 16.04.2 TLS
linux-image-4.4.0-62-generic 4.4.0-62.83
libpam-ldap:amd64 184-8.7ubuntu1
libpam-modules:amd64 1.1.8-3.2ubuntu2

* Reproduction method
1. Install libpam-ldap.
2. Add the following to the end of /etc/pam.d/common-sessions
--------
session required pam_tty_audit.so enable=* open_only
--------
3. When logging in with ssh etc., pam_tty_audit will fail and login fails

* Solution (== 2018/04/16 Link updated ==)
apply upstream patch
https://github.com/linux-pam/linux-pam/commit/c5f829931a22c65feffee16570efdae036524bee

* Logs (on Ubuntu14.04)
-- auth.log --
May 18 14:47:03 vm sshd[2272]: Accepted publickey for test from 10.99.0.1 port 51398 ssh2: RSA 8f:39:1c:3a:f4:9d:ca:99:67:fc:e3:fd:1e:0c:5b:a8
May 18 14:47:03 vm sshd[2272]: pam_unix(sshd:session): session opened for user test by (uid=0)
May 18 14:47:03 vm sshd[2272]: pam_tty_audit(sshd:session): error setting current audit status: Invalid argument
May 18 14:47:03 vm sshd[2272]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
May 18 14:47:03 vm sshd[2297]: Received disconnect from 10.99.0.1: 11: disconnected by user

-- syslog --
May 18 14:47:03 vm audispd: node=vm type=USER_ACCT msg=audit(1463550423.399:58): pid=2272 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success'
May 18 14:47:03 vm audispd: node=vm type=CRED_ACQ msg=audit(1463550423.403:59): pid=2272 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success'
May 18 14:47:03 vm audispd: node=vm type=LOGIN msg=audit(1463550423.403:60): pid=2272 uid=0 old-auid=4294967295 auid=20299 old-ses=4294967295 ses=3 res=1
May 18 14:47:03 vm audispd: node=vm type=CONFIG_CHANGE msg=audit(1463550423.403:61): pid=2272 uid=0 auid=20299 ses=3 op=tty_set old-enabled=0 new-enabled=1 old-log_passwd=0 new-log_passwd=32743 res=0
May 18 14:47:03 vm audispd: node=vm type=USER_START msg=audit(1463550423.447:62): pid=2272 uid=0 auid=20299 ses=3 msg='op=PAM:session_open acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=failed'
May 18 14:47:03 vm audispd: node=vm type=CRED_ACQ msg=audit(1463550423.447:63): pid=2297 uid=0 auid=20299 ses=3 msg='op=PAM:setcred acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success'
May 18 14:47:03 vm audispd: node=vm type=CRED_DISP msg=audit(1463550423.451:64): pid=2272 uid=0 auid=20299 ses=3 msg='op=PAM:setcred acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success'

Thanks regards.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pam (Ubuntu):
status: New → Confirmed
description: updated
Robie Basak (racb) on 2019-01-13
Changed in pam (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
Robie Basak (racb) wrote :

Please see https://wiki.ubuntu.com/SponsorshipProcess and https://wiki.ubuntu.com/StableReleaseUpdates#Procedure if you can volunteer to get the fix landed. Note that I don't expect anyone to work on this any time soon. It needs volunteers.

tags: added: bionic
tags: added: trusty xen
tags: added: cosmic disco xenial
removed: xen
Changed in pam (Debian):
status: Unknown → New
Don van der Haghen (donvdh) wrote :

Attached patch (which is based on pam_1.1.8-3.6ubuntu2) fixes the issue for Ubuntu 18.04/Bionic
Following fix was implemented as mentioned by the reporter of the LP bug: https://github.com/linux-pam/linux-pam/commit/c5f829931a22c65feffee16570efdae036524bee

I tested the patch and it indeed resolves the issue: pam_tty_audit now
works as expected and users are still able to login after adding:
session required pam_tty_audit.so enable=root
to
/etc/pam.d/common-session

"aureport --tty" shows the expected output.

  * Fix: pam_tty_audit failed in pam_open_session (LP: #1666203)

The patch has also been submitted to Debian.

The attachment "bionic-fix-for-lp-1666203.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Don van der Haghen (donvdh) wrote :

I am unable to reproduce this issue on Ubuntu 16.04/Xenial with:
libpam-modules 1.1.8-3.2ubuntu2.1
kernel 4.4.0-112-generic

Toru Ikezoe: Could you verify whether this issue still exists on 16.04?

I currently have no plans on testing with Ubuntu 14.04 because of end of support on april 2019.

Changed in pam (Ubuntu):
assignee: nobody → Don van der Haghen (donvdh)
Toru Ikezoe (toru-ikezoe) wrote :

Thank you for your response.

I tested on 16.04/xenial with below packages, but this issue still exists.
libpam-modules-bin 1.1.8-3.2ubuntu2.1
linux-image-4.4.0-137-generic 4.4.0-137.163

This issue has been fixed on the PAM 1.2.0, but 16.04/xenial and 18.04/bionic used the PAM 1.1.8 and the current package is not include a patche for this issue.

I also tested with commit https://github.com/linux-pam/linux-pam/commit/05a1ccc0df92d0ca031699124ddf7ec3ce12f78f#diff-c5b734a338a8a0460af7f0c08a7b138a which fixes yet another uninitialized use.

Resulting pam_tty_audit.so with both mentioned upstream commits tested and works on bionic, cosmic, and disco.

Don van der Haghen (donvdh) wrote :

Thank you both very much for the responses.

Toru: I just tested this on another 16.04 system (now with kernel 4.4.0-142-generic) and was unable to reproduce the issue there also. I was able to reproduce the issue on both Bionic systems I tested however. So there seems to be a difference between Xenial and Bionic.

Patrik: I believe LTS patches are required to be as minimal as possible to minimize regression risk. It appears that the bug is resolved without the change you mentioned. I looked at the code quickly and couldn't determine whether this change is strictly necessary as the variable that is initialized doesn't seem to be used within the module itself. Should you disagree, then please report back.

I would like to ask a sponsor to review the debdiff and give feedback about what changes are desired to get the patch accepted. I will then also test the disco release.

Any feedback or additional information is more than welcome, I'm just trying to move this issue forward as well as I can.

Seth Arnold (seth-arnold) wrote :

Hello Don, probably an SRU sponsor would like the debdiff to include references where to find the patch that you applied in upstream sources or other bug reports. The usual way to do so is via a Description: and Origin: header in the patch, see https://dep-team.pages.debian.net/deps/dep3/ for more information.

Thanks

Toru Ikezoe (toru-ikezoe) wrote :

Hi Don-san.

I am able to reproduce with the following procedure.

-----------------
vagrant init ubuntu/xenial64
vagrant ssh
# at xenial64 on VM
echo 'session required pam_tty_audit.so enable=*' | sudo tee -a /etc/pam.d/common-session
-----------------

When 'vagrant ssh' from other terminal, it is fail.
I tested below environment.
-----------------
vagrant@ubuntu-xenial:~$ uname -a
Linux ubuntu-xenial 4.4.0-142-generic #168-Ubuntu SMP Wed Jan 16 21:00:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
vagrant@ubuntu-xenial:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.5 LTS
Release: 16.04
Codename: xenial
vagrant@ubuntu-xenial:~$ dpkg -l | grep -E 'libpam|linux-image'
ii libpam-modules:amd64 1.1.8-3.2ubuntu2.1 amd64 Pluggable Authentication Modules for PAM
ii libpam-modules-bin 1.1.8-3.2ubuntu2.1 amd64 Pluggable Authentication Modules for PAM - helper binaries
ii libpam-runtime 1.1.8-3.2ubuntu2.1 all Runtime support for the PAM library
ii libpam-systemd:amd64 229-4ubuntu21.15 amd64 system and service manager - PAM module
ii libpam0g:amd64 1.1.8-3.2ubuntu2.1 amd64 Pluggable Authentication Modules library
ii linux-image-4.4.0-142-generic 4.4.0-142.168 amd64 Linux kernel image for version 4.4.0 on 64 bit x86 SMP
ii linux-image-virtual 4.4.0.142.148 amd64 This package will always depend on the latest minimal generic kernel image.
vagrant@ubuntu-xenial:~$
-----------------

If you cannot reproduce this issue above procedure, you try to enable/disable other pam module.
This problem is caused by an uninitialized stack variable, so it is important to manipulate the state of the stack to reproduce it.
For example, it is good to activate pam_ldap.

Don, I've looked closer at the code and I agree with you.

Don van der Haghen (donvdh) wrote :

Thank you all very much for the responses.

I added the description, origin and bug headers to the bionical debdiff, new debdiff is attached.

I was able to reproduce the issue on xenial using vagrant, I will create and test a patch.

Don van der Haghen (donvdh) wrote :

Please see attached patch for Ubuntu 16.04/Xenial.
I have tested and verified that the patch works as intended.

Steve Langasek (vorlon) wrote :

This has been fixed for disco with the upload of pam 1.3.1-2ubuntu1.

Changed in pam (Ubuntu):
status: Triaged → Fix Released
Changed in pam (Debian):
status: New → Fix Released
tranadols (tramadols) on 2019-02-13
description: updated
description: updated
Don van der Haghen (donvdh) wrote :

Thanks Steve!

However, what is the status for Xenial and Bionic?
The bug seems closed now (status: fix released), can someone reopen it?

Steve Langasek (vorlon) wrote :

I have opened bug tasks for the bionic and xenial releases. Your patches are in the queue for the ubuntu-sponsors team to review.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pam (Ubuntu Bionic):
status: New → Confirmed
Changed in pam (Ubuntu Xenial):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.