pam session does not work in xrdp

Bug #1672742 reported by Klaus Steinberger
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xrdp (Ubuntu)
Undecided
Unassigned

Bug Description

pam session management does not work in xrdp, because auth_start_session is called _after_ the Xserver.

This is already reported here (but not fixed):

https://github.com/neutrinolabs/xrdp/issues/350

As we discovered, it is also an (slight) security Issue, as the pam_limits.so will not work as intended:

Mar 14 14:59:56 gar-ws-rbg06 xrdp-sesman: pam_krb5(xrdp-sesman:auth): user Guinea.Pig authenticated as <email address hidden>
Mar 14 14:59:56 gar-ws-rbg06 xrdp-sesman: pam_unix(xrdp-sesman:session): session opened for user Guinea.Pig by (uid=0)
Mar 14 14:59:56 gar-ws-rbg06 systemd-logind[916]: New session c87 of user Guinea.Pig.
Mar 14 14:59:56 gar-ws-rbg06 xrdp-sesman: pam_limits(xrdp-sesman:session): conversation failed

So the user Session is created even if the user is not authorized to open sessions on the system.

The cure would be to move the call to auth_start_session before the forks.

Description: Ubuntu 16.04.2 LTS
Release: 16.04
root@gar-ws-rbg06:/etc/pam.d# apt-cache policy xrdp
xrdp:
  Installed: 0.6.1-2
  Candidate: 0.6.1-2
  Version table:
 *** 0.6.1-2 500
        500 http://z-sv-debmirror.server.physik.uni-muenchen.de/ubuntu xenial/universe amd64 Packages
        500 http://archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
        100 /var/lib/dpkg/status
root@gar-ws-rbg06:/etc/pam.d#

CVE References

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Klaus, is this a usability issue or does this also allow someone to improperly elevate their privileges?

Thanks

affects: ubuntu → xrdp (Ubuntu)
information type: Private Security → Public Security
Revision history for this message
Klaus Steinberger (klaus-steinberger) wrote : Re: [Bug 1672742] Re: pam session does not work in xrdp

Hi Seth,

> Hello Klaus, is this a usability issue or does this also allow someone
> to improperly elevate their privileges?

it does allow someone to login to machines which she/he has no right to access.
E.g. machines reserved for a group, or machines with special hardware which
should not be publicly available.

Sincerly,
Klaus

--
Rechnerbetriebsgruppe / IT, Fakultät für Physik
Klaus Steinberger
FAX: +49 89 28914280
Tel: +49 89 28914287

Revision history for this message
Klaus Steinberger (klaus-steinberger) wrote :

Am 15.03.2017 um 00:44 schrieb Seth Arnold:
> Hello Klaus, is this a usability issue or does this also allow someone
> to improperly elevate their privileges?

One more point: Correct setting of umask (which is definitly a security thing)
is also dependent on a working session management -> see pam_umask

Sincerly,
Klaus

--
Rechnerbetriebsgruppe / IT, Fakultät für Physik
Klaus Steinberger
FAX: +49 89 28914280
Tel: +49 89 28914287

Revision history for this message
Klaus Steinberger (klaus-steinberger) wrote :

Am 15.03.2017 um 08:02 schrieb Klaus Steinberger:
> Am 15.03.2017 um 00:44 schrieb Seth Arnold:
>> Hello Klaus, is this a usability issue or does this also allow someone
>> to improperly elevate their privileges?
>
> One more point: Correct setting of umask (which is definitly a security thing)
> is also dependent on a working session management -> see pam_umask

And what I found out by looking through other pam files: It is necessary for a
correct selinux context setup (for example look into the pam config for sddm)

Sincerly,
Klaus

--
Rechnerbetriebsgruppe / IT, Fakultät für Physik
Klaus Steinberger
FAX: +49 89 28914280
Tel: +49 89 28914287

Revision history for this message
Klaus Steinberger (klaus-steinberger) wrote :

Upstream pull request #694 fixes the problem:

https://github.com/neutrinolabs/xrdp/pull/694

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Use CVE-2017-6967.
Thanks

Revision history for this message
Klaus Steinberger (klaus-steinberger) wrote :

When will the patch hit the world? Upstream has fixed and Fedora is already fixing it. ubuntu sounds a little bit slow in fixing?

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in xrdp (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for xrdp (Ubuntu) because there has been no activity for 60 days.]

Changed in xrdp (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers