[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Linux PAM (up to 0.64-2) local root compromise

Thanks for this Andrey!

I've placed your patch in the source directory on kernel.org:


[I'm going to try to pull what I have together over the holiday and make
a 0.66 release before the end of the year.  If anyone wants to send me a
patch etc.. Please feel free to so do.]



Savochkin Andrey Vladimirovich wrote:
> On Wed, Dec 23, 1998 at 01:12:45PM +0100, Michal Zalewski wrote:
> > As someone said, "Never make any mistaeks."
> >
> > Latest release of Linux Pluggable Authentication Modules (pam-0.64-2, as
> > well as previous ones), has huge security flaw in pam_unix_passwd.so
> > module, which can be exploited to gain read/write permissions to
> > /etc/shadow file.
> >
> [snip]
> > Default password change routine in pam_unix_passwd.so module, called
> > from passwd utility, creates temporary file /etc/nshadow using fopen().
> > Unfortunately, process umask isn't changed. After approx. 3 syscalls,
> > chmod is called to set proper mode on this file (0600). But, for these
> > 3 syscalls, file permissions are equal to 0666 ~ umask. If umask of
> > current process (which is inherited from parent process, of course)
> > is set to 0, we have /etc/nshadow file with permissions 0666. Then,
> > after all, it's moved using rename() to /etc/shadow. Cute.
> Thank you for the report.
> The attached patch takes care of file creation permissions in
> pam_unix_passwd and pam_tally modules.  I should warn people that the patch
> isn't well tested.  pam_unix_passwd module can't be tested on my system.
> It doesn't work at all because of a glibc bug.
> Best regards
>                                         Andrey V.
>                                         Savochkin
>   ------------------------------------------------------------------------
>    pam-0.65-umask.patch   Name: pam-0.65-umask.patch
>                           Type: Plain Text (text/plain)

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []