Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

could not drop privileges when using sudo #28

Closed
oripka opened this issue Sep 21, 2013 · 2 comments
Closed

could not drop privileges when using sudo #28

oripka opened this issue Sep 21, 2013 · 2 comments

Comments

@oripka
Copy link

oripka commented Sep 21, 2013

I tried the following PAM configuration with all the yubico code compiled from lastest git on Ubuntu Precise:

auth [success=1 new_authtok_reqd=ok ignore=ignore default=die]   pam_yubico.so mode=challenge-response debug

When using "su" it the authentication works ok:

[pam_yubico.c:parse_cfg(753)] called.
[pam_yubico.c:parse_cfg(754)] flags 0 argc 2
[pam_yubico.c:parse_cfg(756)] argv[0]=mode=challenge-response
[pam_yubico.c:parse_cfg(756)] argv[1]=debug
[pam_yubico.c:parse_cfg(757)] id=-1
[pam_yubico.c:parse_cfg(758)] key=(null)
[pam_yubico.c:parse_cfg(759)] debug=1
[pam_yubico.c:parse_cfg(760)] alwaysok=0
[pam_yubico.c:parse_cfg(761)] verbose_otp=0
[pam_yubico.c:parse_cfg(762)] try_first_pass=0
[pam_yubico.c:parse_cfg(763)] use_first_pass=0
[pam_yubico.c:parse_cfg(764)] authfile=(null)
[pam_yubico.c:parse_cfg(765)] ldapserver=(null)
[pam_yubico.c:parse_cfg(766)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(767)] ldapdn=(null)
[pam_yubico.c:parse_cfg(768)] user_attr=(null)
[pam_yubico.c:parse_cfg(769)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(770)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(771)] url=(null)
[pam_yubico.c:parse_cfg(772)] capath=(null)
[pam_yubico.c:parse_cfg(773)] token_id_length=12
[pam_yubico.c:parse_cfg(774)] mode=chresp
[pam_yubico.c:parse_cfg(775)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(815)] get user returned: root
[pam_yubico.c:do_challenge_response(499)] Loading challenge from file /root/.yubico/challenge-2101146
[util.c:load_chalresp_state(269)] Challenge: XXX, salt: XXX, iterations: 10000, slot: 2
[pam_yubico.c:do_challenge_response(577)] Got the expected response, generating new challenge (63 bytes).
[pam_yubico.c:do_challenge_response(655)] Challenge-response success!

But when using "sudo su" I get the following error:

[pam_yubico.c:parse_cfg(753)] called.
[pam_yubico.c:parse_cfg(754)] flags 32768 argc 2
[pam_yubico.c:parse_cfg(756)] argv[0]=mode=challenge-response
[pam_yubico.c:parse_cfg(756)] argv[1]=debug
[pam_yubico.c:parse_cfg(757)] id=-1
[pam_yubico.c:parse_cfg(758)] key=(null)
[pam_yubico.c:parse_cfg(759)] debug=1
[pam_yubico.c:parse_cfg(760)] alwaysok=0
[pam_yubico.c:parse_cfg(761)] verbose_otp=0
[pam_yubico.c:parse_cfg(762)] try_first_pass=0
[pam_yubico.c:parse_cfg(763)] use_first_pass=0
[pam_yubico.c:parse_cfg(764)] authfile=(null)
[pam_yubico.c:parse_cfg(765)] ldapserver=(null)
[pam_yubico.c:parse_cfg(766)] ldap_uri=(null)
[pam_yubico.c:parse_cfg(767)] ldapdn=(null)
[pam_yubico.c:parse_cfg(768)] user_attr=(null)
[pam_yubico.c:parse_cfg(769)] yubi_attr=(null)
[pam_yubico.c:parse_cfg(770)] yubi_attr_prefix=(null)
[pam_yubico.c:parse_cfg(771)] url=(null)
[pam_yubico.c:parse_cfg(772)] capath=(null)
[pam_yubico.c:parse_cfg(773)] token_id_length=12
[pam_yubico.c:parse_cfg(774)] mode=chresp
[pam_yubico.c:parse_cfg(775)] chalresp_path=(null)
[pam_yubico.c:pam_sm_authenticate(815)] get user returned: XXX
[pam_yubico.c:do_challenge_response(499)] Loading challenge from file /home/XXX/.yubico/challenge-2101146
[util.c:load_chalresp_state(269)] Challenge: XXX, hashed response: XXX, salt: XXX, iterations: 10000, slot: 2
[pam_yubico.c:do_challenge_response(577)] Got the expected response, generating new challenge (63 bytes).
[pam_yubico.c:do_challenge_response(615)] could not drop privileges
Error communicating with Yubikey, please check syslog or contact your system administrator
[pam_yubico.c:display_error(456)] conv returned: '(null)'
[pam_yubico.c:do_challenge_response(681)] Challenge response failed: No such file or directory

I still get root privileges using this, but here [1] is a reference that states that this could be security risk.

Also unlocking gnome screensaver does not work. Are there an prerequisites for that to work, like dbus (I uninstalled some of the default packages from ubuntu)?

[1] http://stdio.tumblr.com/post/16542319413
@oripka
Copy link
Author

oripka commented Sep 21, 2013

I investigated a little bit more. So using the git version before the commit "reimplement drop_privs to implement the pam_modutils interface" does work without errors when using the following pam config

auth [success=ok default=bad]   pam_unix.so nullok_secure
auth [success=1 new_authtok_reqd=ok ignore=ignore default=die]   pam_yubico.so mode=challenge-response debug

However unlocking gnome-screensaver or xscreensaver still does not work.

klali added a commit that referenced this issue Sep 23, 2013
@klali
a PAM_MODUTIL_DEV_PRIVS structure can't be reused
7fa8cbb 
so we have to allocate a second one and point to
that for the second time we want to drop privs.
relates to #28
@klali
Copy link
Member

klali commented Sep 23, 2013

With this last patch the drop privs path works properly (obviously not tested enough when I pushed the previous part).
For me unlocking the gnome-screensaver works, do you have any other special setup? Do you get anything in /var/log/auth.log or syslog?

/klas

@klali klali closed this as completed Nov 20, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@oripka @klali