[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#914541: marked as done ([libpam-modules-bin] unix_chkpwd should be SUID instead of SGID, otherwise kscreen_locker does not work)

Your message dated Fri, 25 Jan 2019 15:03:36 -0300
with message-id <20190125180335.okd2honu2wcyfphm@neoptolemo.gnuservers.com.ar>
and subject line Re: Bug#914541: [libpam-modules-bin] unix_chkpwd should be SUID instead of SGID, otherwise kscreen_locker does not work
has caused the Debian Bug report #914541,
regarding [libpam-modules-bin] unix_chkpwd should be SUID instead of SGID, otherwise kscreen_locker does not work
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
914541: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=914541
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: libpam-modules-bin
Version: 1.1.8-3.8
Severity: important

--- Please enter the report below this line. ---
I ran into that quite a while ago, but wasn't using a screen locker or KDE since, so I forgot about it. Now, with KDE and mostly hibernating my system, it came back.
unix_chkpwd is installed SGID (2755) in all currently available libpam-modules-bin versions: 
1.1.8-3.2ubuntu2
1.1.8-3.2ubuntu2.1
1.1.8-3.2ubuntu3
1.1.8-3.2ubuntu3.1
1.1.8-3.6
1.1.8-3.6ubuntu2
1.1.8-3.8
With these permissions correct passwords fail in newer KDE screen locker versions. I tested libkscreenlocker5 versions: 
5.13.5-1
5.8.6-2
5.12.6-0ubuntu0.1
5.12.4-0ubuntu1

for a recent occurance of the issue see here:
https://www.reddit.com/r/kde/comments/8w7uqq/screen_wont_unlock/e1wbilp/?context=8&depth=9

I found a discussion about SUID vs. SGID for unix_chkpwd here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=155583
Note, I am not an expert in security related things, but the reasoning in the discussion doesn't look logical, so I'll try to explain my view as a user.
There probably was a reason why it was SUID before. Obviously nobody is talking about that decision.
The discussion about switching to SGID seems to be about explicit packages that fail and solutions for them.
But as I understand this, it doesn't say, there cannot be or can never be other packages that need unix_chkpwd to be SUID. May be, this is totally obvious to you and it doesn't need to be discussed. But at least the KDE screen locker is an example. 
Also, bashing NIS doesn't help, especially if there could be other software.
So, one question is, why is SGID better than SUID? is it worth breaking packages if you don't know, why SUID was part of the design? The other question is, why does another package need unix_chkpwd SUID? is it insecure or otherwise bad code in some way? 

That said, the problem could also be in the code of the screen locker.


--- System information. ---
Architecture: Kernel:       Linux 4.18.0-2-amd64

Debian Release: buster/sid
990 stable security.debian.org 900 xenial-security archive.ubuntu.com 900 testing debian.netcologne.de 900 stable kxstudio.linuxaudio.org 900 stable dl.google.com 900 stable debian.netcologne.de 900 bionic-security archive.ubuntu.com 900 artful-security archive.ubuntu.com 500 xenial ppa.launchpad.net 500 wily ppa.launchpad.net 500 trusty ppa.launchpad.net 500 lucid ppa.launchpad.net 500 gcc5 kxstudio.linuxaudio.org 500 bionic ppa.launchpad.net 500 artful ppa.launchpad.net 100 xenial-updates archive.ubuntu.com 100 xenial-backports archive.ubuntu.com 100 xenial archive.ubuntu.com 100 unstable packages.siduction.org 100 unstable debian.netcologne.de 100 experimental debian.netcologne.de 100 bionic-updates archive.ubuntu.com 100 bionic-backports archive.ubuntu.com 100 bionic archive.ubuntu.com 100 artful-updates archive.ubuntu.com 100 artful-backports archive.ubuntu.com 100 artful archive.ubuntu.com 
--- Package information. ---
Depends             (Version) | Installed
=============================-+-==============
libaudit1        (>= 1:2.2.1) | 1:2.8.4-2
libc6 (>= 2.14) | libpam0g (>= 0.99.7.1) | libselinux1 (>= 1.32) | 

Package's Recommends field is empty.

Package's Suggests field is empty.

--- End Message ---
--- Begin Message --- 
¡Hola!
Closing the issue as requested by the user in a private email. The problem seems to be caused by /etc/shadow's group being set to root, instead of shadow.
I'm not sure if there is a tool that checks for this kind of subtle problems, debsums is the closest thing, but it will ignore the conffiles, afaik. It would be cool if there is something out there. Any suggestions? 

Happy hacking,
--
"Nothing ever goes away." -- Commoner's Law of Ecology
Saludos /\/\ /\ >< `/

Attachment: signature.asc
Description: PGP signature


--- End Message ---
Reply to: