Public bug reported:
We use the pam_localuser.so PAM module to authenticate only local users for
root to become.
Because we don't want that root can become a domain user (as we use sssd with
ad integration).
This works well with the su program, but fails with runuser.
We added the following in front of pam_rootok.so in the files /etc/pam.d/su and
runuser:
auth required pam_localuser.so
As I have found out, this behaviour can easily be changed by applying the
following patch:
diff -urN util-linux-2.31.1/login-utils/su-common.c
util-linux-2.31.1/login-utils/su-common.c
--- util-linux-2.31.1/login-utils/su-common.c 2018-11-21 10:56:05.100179733
+0100
+++ util-linux-2.31.1/login-utils/su-common.c 2018-11-21 11:10:40.458312830
+0100
@@ -709,7 +709,6 @@
*/
if (su->restricted)
errx(EXIT_FAILURE, _("may not be used by non-root
users"));
- return;
}
rc = pam_authenticate(su->pamh, 0);
And it works as expected:
# runuser domainuser
runuser: Permission denied
However, we would always need to recompile util-linux as new security
updates come out.
Could this please be applied to the Ubuntu repository and backported for bionic?
I will contact the util-linux maintainer separately in order to get this
upstream.
** Affects: util-linux (Ubuntu)
Importance: Undecided
Status: New
** Patch added: "util-linux_2.31.1_runuser_pam.patch"
https://bugs.launchpad.net/bugs/1804417/+attachment/5214930/+files/util-linux_2.31.1_runuser_pam.patch
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to util-linux in Ubuntu.
https://bugs.launchpad.net/bugs/1804417
Title:
runuser doesn't authenticate PAM modules
Status in util-linux package in Ubuntu:
New
Bug description:
We use the pam_localuser.so PAM module to authenticate only local users for
root to become.
Because we don't want that root can become a domain user (as we use sssd with
ad integration).
This works well with the su program, but fails with runuser.
We added the following in front of pam_rootok.so in the files /etc/pam.d/su
and runuser:
auth required pam_localuser.so
As I have found out, this behaviour can easily be changed by applying the
following patch:
diff -urN util-linux-2.31.1/login-utils/su-common.c
util-linux-2.31.1/login-utils/su-common.c
--- util-linux-2.31.1/login-utils/su-common.c 2018-11-21 10:56:05.100179733
+0100
+++ util-linux-2.31.1/login-utils/su-common.c 2018-11-21 11:10:40.458312830
+0100
@@ -709,7 +709,6 @@
*/
if (su->restricted)
errx(EXIT_FAILURE, _("may not be used by non-root
users"));
- return;
}
rc = pam_authenticate(su->pamh, 0);
And it works as expected:
# runuser domainuser
runuser: Permission denied
However, we would always need to recompile util-linux as new security
updates come out.
Could this please be applied to the Ubuntu repository and backported for
bionic?
I will contact the util-linux maintainer separately in order to get this
upstream.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1804417/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
