pam_motd sometimes inherits umask of user (via pam_umask)

Bug #871943 reported by Jamie Strandboge on 2011-10-10
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Medium
Unassigned

Bug Description

When performing install audits, I noticed that /run/motd had the following permissions:
$ ls -l /run/motd
-rw-rw-r-- 1 root root 198 2011-10-10 13:20 /run/motd

I found this odd and remembered https://blueprints.launchpad.net/ubuntu/+spec/umask-to-0002. While /etc/init/mounted-run.conf creates this initially on reboot, it turns out that the permissions are changed on login, via pam_motd.

TEST CASE:
1. login
2. sudo chmod 644 /run/motd
3. Check the permissions of /run/motd. Eg:
$ ls -l /run/motd
-rw-r--r-- 1 root root 198 2011-10-10 13:20 /run/motd
4. login via ssh (eg ssh 127.0.0.1)
5. Check the permissions of /run/motd. Eg:
$ ls -l /run/motd
-rw-rw-r-- 1 root root 198 2011-10-10 13:38 /run/motd

So, this happens on ssh logins and not console logins because pam_motd in console logins is earlier in the stack (before common-session, which has pam_umask in it). With ssh logins, pam_motd is after common-session.

This does not seem to be a security issue as the umask has to be adjusted via /etc/login.defs; however the side-effect is undesirable. While we could adjust the stacking, it seems a reasonable hardening measure would be for pam_motd to explicitly set its umask.

description: updated
Steve Langasek (vorlon) on 2011-10-11
Changed in pam (Ubuntu):
status: New → In Progress
status: In Progress → Triaged
importance: Undecided → Medium
summary: - pam_motd somtimes inherits umask of user (via pam_umask)
+ pam_motd sometimes inherits umask of user (via pam_umask)
Launchpad Janitor (janitor) wrote :
Download full text (4.9 KiB)

This bug was fixed in the package pam - 1.1.3-5ubuntu1

---------------
pam (1.1.3-5ubuntu1) precise; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - debian/libpam-modules.postinst: Add PATH to /etc/environment if it's
      not present there or in /etc/security/pam_env.conf. (should send to
      Debian).
    - debian/libpam0g.postinst: only ask questions during update-manager when
      there are non-default services running.
    - Change Vcs-Bzr to point at the Ubuntu branch.
    - debian/patches-applied/series: Ubuntu patches are as below ...
    - debian/patches-applied/ubuntu-rlimit_nice_correction: Explicitly
      initialise RLIMIT_NICE rather than relying on the kernel limits.
    - debian/patches-applied/pam_motd-legal-notice: display the contents of
      /etc/legal once, then set a flag in the user's homedir to prevent
      showing it again.
    - debian/update-motd.5, debian/libpam-modules.manpages: add a manpage
      for update-motd, with some best practices and notes of explanation.
    - debian/patches/update-motd-manpage-ref: add a reference in pam_motd(8)
      to update-motd(5)
    - debian/libpam0g.postinst: drop kdm from the list of services to
      restart.
    - debian/libpam0g.postinst: check if gdm is actually running before
      trying to reload it.
    - debian/local/common-session{,-noninteractive}: Enable pam_umask by
      default, now that the umask setting is gone from /etc/profile.
    - debian/local/pam-auth-update: Add the new md5sums for pam_umask addition.
    - add debian/patches-applied/pam_umask_usergroups_from_login.defs.patch:
      Deprecate pam_unix' explicit "usergroups" option and instead read it
      from /etc/login.def's "USERGROUP_ENAB" option if umask is only defined
      there. This restores compatibility with the pre-PAM behaviour of login.
      (Closes: #583958)
  * Dropped changes, included in Debian:
    - debian/patches-applied/CVE-2011-3148.patch
    - debian/patches-applied/CVE-2011-3149.patch
    - debian/patches-applied/update-motd: updated to use clean environment
      and absolute paths in modules/pam_motd/pam_motd.c.
  * debian/libpam0g.postinst: the init script for 'samba' is now named 'smbd'
    in Ubuntu, so fix the restart handling.
  * debian/patches-applied/update-motd: set a sane umask before calling
    run-parts, and restore the old mask afterwards, so /run/motd gets
    consistent permissions. LP: #871943.
  * debian/patches-applied/update-motd: new module option for pam_motd,
    'noupdate', which suppresses the call to run-parts /etc/update-motd.d.
    LP: #805423.

pam (1.1.3-5) unstable; urgency=low

  [ Kees Cook ]
  * debian/patches-applied/pam_unix_dont_trust_chkpwd_caller.patch: use
    setresgid() to wipe out saved-gid just in case.
  * debian/patches-applied/008_modules_pam_limits_chroot:
    - fix off-by-one when parsing configuration file.
    - when using chroot, chdir() to root to lose links to old tree.
  * debian/patches-applied/022_pam_unix_group_time_miscfixes,
    debian/patches-applied/026_pam_unix_passwd_unknown_user,
    debian/patches-applied/054_pam_security_abstract_securetty_handling:
    improve descriptions.
  *...

Read more...

Changed in pam (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers