runuser doesn't authenticate PAM modules

Bug #1804417 reported by Tobias Karnat on 2018-11-21
This bug affects 1 person
Affects Status Importance Assigned to Milestone
util-linux (Ubuntu)

Bug Description

We use the PAM module to authenticate only local users for root to become.
Because we don't want that root can become a domain user (as we use sssd with ad integration).

This works well with the su program, but fails with runuser.
We added the following in front of in the files /etc/pam.d/su and runuser:
auth required

As I have found out, this behaviour can easily be changed by applying the following patch:
diff -urN util-linux-2.31.1/login-utils/su-common.c util-linux-2.31.1/login-utils/su-common.c
--- util-linux-2.31.1/login-utils/su-common.c 2018-11-21 10:56:05.100179733 +0100
+++ util-linux-2.31.1/login-utils/su-common.c 2018-11-21 11:10:40.458312830 +0100
@@ -709,7 +709,6 @@
                if (su->restricted)
                        errx(EXIT_FAILURE, _("may not be used by non-root users"));
- return;

        rc = pam_authenticate(su->pamh, 0);

And it works as expected:
# runuser domainuser
runuser: Permission denied

However, we would always need to recompile util-linux as new security updates come out.

Could this please be applied to the Ubuntu repository and backported for bionic?
I will contact the util-linux maintainer separately in order to get this upstream.

The attachment "util-linux_2.31.1_runuser_pam.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch

As a workaround we now use the following configuration as the maintainer suggested to us:

# cat /etc/pam.d/runuser
auth sufficient
session required

Which works as well:
# runuser domainuser
runuser: cannot open session: Permission denied

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers