194604 – [libpam] [patch] pam_unix doesn't allow validation of own password

Bug 194604 - [libpam] [patch] pam_unix doesn't allow validation of own password

Summary: [libpam] [patch] pam_unix doesn't allow validation of own password

Status:	Closed Works As Intended

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	bin (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	Dag-Erling Smørgrav

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-10-26 05:42 UTC by Conrad Meyer
Modified:	2015-04-21 12:22 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
(Apply with -p1; diff against r273647.) (9.68 KB, patch) 2014-10-26 05:42 UTC, Conrad Meyer	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Conrad Meyer 2014-10-26 05:42:42 UTC

Created attachment 148656 [details]
(Apply with -p1; diff against r273647.)

Linux-PAM provides this functionality via a setuid helper program, and programs have come to depend on it. In particular, enlightenment desktop's lock screen uses this feature to allow unlocking. You could argue this is a bug in enlightenment, but I'm not sure we'd prefer more ports shipping setuid helpers instead of providing one standard one.

I don't see the harm in presenting the additional functionality, and it means more Linux programs work on FreeBSD.

I have attempted to keep the setuid helper quite simple and keep the attack surface small.

This helper only facilitates authentication, and like pam_unix, does not validate account expiration time.

Comment 1 Conrad Meyer 2014-10-26 05:44:03 UTC

CC'ing security team for sign-off as this adds a setuid program to base.

Comment 2 Dag-Erling Smørgrav freebsd_committer

2014-10-27 14:10:26 UTC

Sorry, but no.  Use something like kpasswd instead.

Comment 3 Dag-Erling Smørgrav freebsd_committer

2014-10-27 14:11:00 UTC

Sorry, I meant kcheckpass.

Comment 4 Conrad Meyer 2014-10-27 14:53:45 UTC

(In reply to Dag-Erling SmÃ¸rgrav from comment #2)
> Sorry, but no.  Use something like kpasswd instead.

So, this option then?
> we'd prefer more ports shipping
> setuid helpers instead of providing one standard one.

(In reply to Dag-Erling SmÃ¸rgrav from comment #3)
> Sorry, I meant kcheckpass.

$ pkg install kcheckpass
pkg: No packages available to install matching 'kcheckpass' have been found in the repositories

Any idea which of the myriad KDE ports actually provides kcheckpass?

Comment 5 Conrad Meyer 2014-10-27 14:56:26 UTC

(In reply to Conrad Meyer from comment #4)
> Any idea which of the myriad KDE ports actually provides kcheckpass?

Ah, it's kde-workspace.

$ pkg install kde-workspace
...
The process will require 641 MB more space.
223 MB to be downloaded.

You think that's a usable solution?

Comment 6 Conrad Meyer 2014-10-27 20:50:48 UTC

I'm ok with kcheckpass as a solution, but it must be installable without pulling in all of KDE. I think that's doable. I should make a kcheckpass port; change kde4-workspace plist to exclude kcheckpass and have the port require it as a run-time dep; and finally fix enlightenment to use kcheckpass on FreeBSD.

Comment 7 Dag-Erling Smørgrav freebsd_committer

2014-10-28 07:58:25 UTC

If you feel like writing your own version and are comfortable releasing it under the three-clause BSD license, I may include it in OpenPAM.  It won't be available in FreeBSD until 10.2 at the earliest, more likely 11, but we can easily make a port to install it on systems that don't have it in base.

BTW, this is vastly more flexible than the Linux-PAM solution, as the latter will only work for users with traditional password hashes available through NSS, not for users who authenticate through Kerberos, RADIUS or some other remote method.

Comment 8 Conrad Meyer 2014-10-28 13:07:41 UTC

(In reply to Dag-Erling SmÃ¸rgrav from comment #7)
> If you feel like writing your own version and are comfortable releasing it
> under the three-clause BSD license, I may include it in OpenPAM.

Sure. The helper source file in the attached patch is 2-clause BSD; 3-clause is fine. (The attached patch also has one manual page derived from Linux-PAM, which is 3-clause BSD.)

> It won't
> be available in FreeBSD until 10.2 at the earliest, more likely 11, but we
> can easily make a port to install it on systems that don't have it in base.

CURRENT is what I care about, that is fine.

> BTW, this

My initial patch, kcheckpass, or something else you're proposing?

> is vastly more flexible than the Linux-PAM solution, as the latter
> will only work for users with traditional password hashes available through
> NSS, not for users who authenticate through Kerberos, RADIUS or some other
> remote method.

If we're talking about the attached patch, it only modifies pam_unix and only checks for passwords available through getpwnam(3). My read of that man page was that it was only for local hashes.

And of course, if a pam_unix is disabled in a PAM configuration, it won't be run at all which may be surprising if it is expected to check remote passwords.

I'm happy to rework this in another way! Just let me know how you would like it to look and function, or anything I can do to help.

Thanks.

Comment 9 Dag-Erling Smørgrav freebsd_committer

2014-10-31 21:33:18 UTC

I meant "your own version of something similar to kcheckpass".

Sorry for the late response.  For some reason, I didn't get a copy of your comment by email.

Comment 10 Conrad Meyer 2015-04-21 12:22:29 UTC

Upstream E desktop has agreed to ship their own suid helper:

https://phab.enlightenment.org/D2355

So this may be closed.