Return only PAM_IGNORE or error from pam_motd

Bug #1856703 reported by Balint Reczey on 2019-12-17
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Undecided
Unassigned
Eoan
Undecided
Unassigned
Balint Reczey (rbalint) wrote :

[ Impact ]

 * In highly unlikely non-default configuration pam_motd may be configured to influence PAM's authentication and reporting PAM_SUCCESS may let users in the system.
 * The fix is returning only PAM_IGNORE and error values.

[ Test Case ]

  * Configure PAM to deny access when pam_motd returns PAM_SUCCESS:
  $ cat /etc/pam.d/login

...
session [success=die ignore=ignore] pam_motd.so motd=/run/motd.dynamic
...

 * Try to log in:
   # login ubuntu

 * Observe being able to log in due to pam_motd not returning PAM_SUCCESS

[Regression Potential]

  * Minimal this is a fix partially reverting the behaviour change that was found undesired in LP: #1855092 . The return value of pam_motd is ignored in real-world configurations, thus it does not matter.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.3.1-5ubuntu4

---------------
pam (1.3.1-5ubuntu4) focal; urgency=medium

  * Return only PAM_IGNORE or error from pam_motd (LP: #1856703)

 -- Balint Reczey <email address hidden> Tue, 17 Dec 2019 17:41:40 +0100

Changed in pam (Ubuntu):
status: New → Fix Released

Hello Balint, or anyone else affected,

Accepted pam into eoan-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pam/1.3.1-5ubuntu1.19.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-eoan to verification-done-eoan. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-eoan. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in pam (Ubuntu Eoan):
status: New → Fix Committed
tags: added: verification-needed verification-needed-eoan

All autopkgtests for the newly accepted pam (1.3.1-5ubuntu1.19.10.1) for eoan have finished running.
The following regressions have been reported in tests triggered by the package:

openssh/1:8.0p1-6build1 (ppc64el, amd64, s390x, armhf, i386, arm64)
kscreenlocker/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/eoan/update_excuses.html#pam

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Balint Reczey (rbalint) wrote :
Download full text (4.0 KiB)

Verified 1.3.1-5ubuntu1.19.10.1 on Eoan.

root@ee-proposed:~# login ubuntu
Password:
Last login: Wed Feb 5 15:40:20 UTC 2020 on UNKNOWN
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-29-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

  System information as of Wed Feb 5 15:41:25 UTC 2020

  System load: 0.56 Processes: 39
  Usage of /home: unknown Users logged in: 0
  Memory usage: 1% IP address for eth0: 10.84.73.86
  Swap usage: 28%

28 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

*** System restart required ***

Permission denied
root@ee-proposed:~# dpkg -l libpam-modules
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-====================-======================-============-========================================
ii libpam-modules:amd64 1.3.1-5ubuntu1.19.10.0 amd64 Pluggable Authentication Modules for PAM
root@ee-proposed:~# apt install -qqy libpam-modules=1.3.1-5ubuntu1.19.10.1 update-motd libpam-modules-bin=1.3.1-5ubuntu1.19.10.1
update-motd is already the newest version (3.6-0ubuntu1.19.10.1).
The following packages were automatically installed and are no longer required:
  command-not-found-data libdumbnet1 libidn11 libip4tc0 libip6tc0 multiarch-support
Use 'apt autoremove' to remove them.
The following packages will be upgraded:
  libpam-modules libpam-modules-bin
2 upgraded, 0 newly installed, 0 to remove and 29 not upgraded.
Need to get 288 kB of archives.
After this operation, 0 B of additional disk space will be used.
Preconfiguring packages ...
(Reading database ... 32593 files and directories currently installed.)
Preparing to unpack .../libpam-modules-bin_1.3.1-5ubuntu1.19.10.1_amd64.deb ...
Unpacking libpam-modules-bin (1.3.1-5ubuntu1.19.10.1) over (1.3.1-5ubuntu1.19.10.0) ...
Setting up libpam-modules-bin (1.3.1-5ubuntu1.19.10.1) ...
(Reading database ... 32593 files and directories currently installed.)
Preparing to unpack .../libpam-modules_1.3.1-5ubuntu1.19.10.1_amd64.deb ...
Unpacking libpam-modules:amd64 (1.3.1-5ubuntu1.19.10.1) over (1.3.1-5ubuntu1.19.10.0) ...
Setting up libpam-modules:amd64 (1.3.1-5ubuntu1.19.10.1) ...
Processing triggers for man-db (2.8.7-3) ...
root@ee-proposed:~# login ubuntu
Password:
Last login: Wed Feb 5 15:41:25 UTC 2020 on UNKNOWN
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-29-generic x86_64)

 * Documentation: https://help.ubuntu.com
 * Management: https://landscape.canonical.com
 * Support: https://ubuntu.com/advantage

  System information as of Wed Feb 5 15:42:22 UTC 2020

  System load: 0.43 Processes: 39
  Usage of /home: unknown Users logged in: 0
  Memory usage: 1% IP address for eth0: 10.84.73.86
  Swap usage: 29%

26 updates can be installed immediately.
0 of these updates are secur...

Read more...

tags: added: verification-done verification-done-eoan
removed: verification-needed verification-needed-eoan
tags: added: id-5d78fc6cca6d1b77a77952cc
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pam - 1.3.1-5ubuntu1.19.10.1

---------------
pam (1.3.1-5ubuntu1.19.10.1) eoan; urgency=medium

  * Return only PAM_IGNORE or error from pam_motd (LP: #1856703)

 -- Balint Reczey <email address hidden> Tue, 17 Dec 2019 18:56:34 +0100

Changed in pam (Ubuntu Eoan):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for pam has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers