pam_motd sometimes inherits umask of user (via pam_umask)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
When performing install audits, I noticed that /run/motd had the following permissions:
$ ls -l /run/motd
-rw-rw-r-- 1 root root 198 2011-10-10 13:20 /run/motd
I found this odd and remembered https:/
TEST CASE:
1. login
2. sudo chmod 644 /run/motd
3. Check the permissions of /run/motd. Eg:
$ ls -l /run/motd
-rw-r--r-- 1 root root 198 2011-10-10 13:20 /run/motd
4. login via ssh (eg ssh 127.0.0.1)
5. Check the permissions of /run/motd. Eg:
$ ls -l /run/motd
-rw-rw-r-- 1 root root 198 2011-10-10 13:38 /run/motd
So, this happens on ssh logins and not console logins because pam_motd in console logins is earlier in the stack (before common-session, which has pam_umask in it). With ssh logins, pam_motd is after common-session.
This does not seem to be a security issue as the umask has to be adjusted via /etc/login.defs; however the side-effect is undesirable. While we could adjust the stacking, it seems a reasonable hardening measure would be for pam_motd to explicitly set its umask.
description: | updated |
Changed in pam (Ubuntu): | |
status: | New → In Progress |
status: | In Progress → Triaged |
importance: | Undecided → Medium |
summary: |
- pam_motd somtimes inherits umask of user (via pam_umask) + pam_motd sometimes inherits umask of user (via pam_umask) |
This bug was fixed in the package pam - 1.1.3-5ubuntu1
---------------
pam (1.1.3-5ubuntu1) precise; urgency=low
* Merge from Debian unstable. Remaining changes: libpam- modules. postinst: Add PATH to /etc/environment if it's pam_env. conf. (should send to libpam0g. postinst: only ask questions during update-manager when patches- applied/ series: Ubuntu patches are as below ... patches- applied/ ubuntu- rlimit_ nice_correction : Explicitly patches- applied/ pam_motd- legal-notice: display the contents of update- motd.5, debian/ libpam- modules. manpages: add a manpage patches/ update- motd-manpage- ref: add a reference in pam_motd(8) libpam0g. postinst: drop kdm from the list of services to libpam0g. postinst: check if gdm is actually running before local/common- session{ ,-noninteractiv e}: Enable pam_umask by local/pam- auth-update: Add the new md5sums for pam_umask addition. patches- applied/ pam_umask_ usergroups_ from_login. defs.patch: patches- applied/ CVE-2011- 3148.patch patches- applied/ CVE-2011- 3149.patch patches- applied/ update- motd: updated to use clean environment pam_motd/ pam_motd. c. libpam0g. postinst: the init script for 'samba' is now named 'smbd' patches- applied/ update- motd: set a sane umask before calling patches- applied/ update- motd: new module option for pam_motd,
- debian/
not present there or in /etc/security/
Debian).
- debian/
there are non-default services running.
- Change Vcs-Bzr to point at the Ubuntu branch.
- debian/
- debian/
initialise RLIMIT_NICE rather than relying on the kernel limits.
- debian/
/etc/legal once, then set a flag in the user's homedir to prevent
showing it again.
- debian/
for update-motd, with some best practices and notes of explanation.
- debian/
to update-motd(5)
- debian/
restart.
- debian/
trying to reload it.
- debian/
default, now that the umask setting is gone from /etc/profile.
- debian/
- add debian/
Deprecate pam_unix' explicit "usergroups" option and instead read it
from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
there. This restores compatibility with the pre-PAM behaviour of login.
(Closes: #583958)
* Dropped changes, included in Debian:
- debian/
- debian/
- debian/
and absolute paths in modules/
* debian/
in Ubuntu, so fix the restart handling.
* debian/
run-parts, and restore the old mask afterwards, so /run/motd gets
consistent permissions. LP: #871943.
* debian/
'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
LP: #805423.
pam (1.1.3-5) unstable; urgency=low
[ Kees Cook ] patches- applied/ pam_unix_ dont_trust_ chkpwd_ caller. patch: use patches- applied/ 008_modules_ pam_limits_ chroot: patches- applied/ 022_pam_ unix_group_ time_miscfixes, patches- applied/ 026_pam_ unix_passwd_ unknown_ user, patches- applied/ 054_pam_ security_ abstract_ securetty_ handling:
* debian/
setresgid() to wipe out saved-gid just in case.
* debian/
- fix off-by-one when parsing configuration file.
- when using chroot, chdir() to root to lose links to old tree.
* debian/
debian/
debian/
improve descriptions.
*...