missing pam_loginuid.so breaks getlogin()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
at (Debian) |
Fix Released
|
Unknown
|
|||
at (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
cron (Debian) |
Fix Released
|
Unknown
|
|||
cron (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
openssh (Debian) |
Fix Released
|
Unknown
|
|||
openssh (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
shadow (Debian) |
Fix Released
|
Unknown
|
|||
shadow (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
getlogin() call in new glibc checks /proc/self/loginuid presence and trust its value as most safe source (due it's audit-related nature). But default /etc/pam.
(pam session without pam_loginuid)$ perl -e '$t=getlogin; print "$t\n";'
root
(pam session without pam_loginuid)$ id
uid=1000(...
just because /proc/self/loginuid contains '0' value
If I add pam_loginuid.so to /etc/pam.
(pam session with pam_loginuid)$ perl -e '$t=getlogin; print "$t\n";'
user
(pam session with pam_loginuid)$ id
uid=1000(...
# cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_
DISTRIB_
DISTRIB_
# dpkg -l|fgrep libpam
ii libpam-ck-connector 0.4.5-2 ConsoleKit PAM module
ii libpam-modules 1.1.3-7ubuntu2 Pluggable Authentication Modules for PAM
ii libpam-modules-bin 1.1.3-7ubuntu2 Pluggable Authentication Modules for PAM - helper binaries
ii libpam-runtime 1.1.3-7ubuntu2 Runtime support for the PAM library
ii libpam0g 1.1.3-7ubuntu2 Pluggable Authentication Modules library
description: | updated |
Changed in openssh (Debian): | |
status: | Unknown → Fix Released |
Changed in shadow (Debian): | |
status: | Unknown → New |
Changed in at (Debian): | |
status: | Unknown → New |
Changed in cron (Debian): | |
status: | Unknown → New |
Changed in shadow (Debian): | |
status: | New → Fix Committed |
Changed in at (Debian): | |
status: | New → Fix Committed |
Changed in at (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → High |
Changed in shadow (Debian): | |
status: | Fix Committed → Fix Released |
Changed in cron (Debian): | |
status: | New → Fix Committed |
Changed in cron (Debian): | |
status: | Fix Committed → Fix Released |
Changed in at (Debian): | |
status: | Fix Committed → Fix Released |
More to go:
Currently, /etc/pam. d/common- account (to be more correct, /etc/pam. d/common- session) doesn't differ sessions like ordinary (login,sshd,crond etc) and special (su and sudo). So my proposal incorrect - better add pam_loginuid to ordinary sessions and leave special sessions untouched.