#90 Security Bug?

pam_mount (94)

Hi I am fairly new to these stuff so I don't know if this is actually pam_mount bug or pam...

- Intro

I manage a lab. in my uni. so I needed to setup LDAP based authentication with SAMBA mounted home directories. The default behavior of pam_mount + smbmount couldn't do my job so I wrote a script (mysmbmount.sh) to do the job. This does the following 2 things:

1) check that home directory is not all ready mounted
2) check that the user is not local one (I support both local and LDAP users with the same username...)


My pam_mount config includes the following:

<smbmount>mysmbmount.sh //%(SERVER)/%(VOLUME) %(MNTPT) -o "users,username=%(USER)%(before=\",\" OPTIONS)"</smbmount>

<volume fstype="smbfs" server="neminas" path="%(USER)" mountpoint="~" options="users" />

Now my script follows:


# Check that the home is not already mounted
res=`mount | grep "$1"`

if [ "$res" != "" ]; then
exit 0;

# Check that the user is NOT local
# (if it is local and we mount the remote home
# we have no permissions to the home...)
# The following results to the user password ???!!!
#user=`cut -d' ' -f1`

user=`echo "$1" | cut -d'/' -f4`
res=`cat /etc/passwd | grep "$user"`

if [ "$res" != "" ]; then
exit 0;

smbmount $@

exit 0;

As you can see in the comments, when I was writing the script I forgot to add "echo $1" to the cut line. The cut though command alone produces output!!? And it is not random, it is the user's _password_ clear text. To test it add "echo $user > /tmp/test" and when you are in cat test file... Also the delimiter does not matter...

I cannot understand what is been cut? and I am not sure that this is a bug... but it seems weird to me to be able to have all my user's clear text passwords (seems like a flow in the pam stuff)

- Some more info:

urban@mig-manager:~$ cat /etc/lsb-release

urban@mig-manager:~$ uname -a
Linux mig-manager 2.6.32-27-server #49-Ubuntu SMP Thu Dec 2 02:05:21 UTC 2010 x86_64 GNU/Linux

urban@mig-manager:~$ dpkg -l | grep pam
ii auth-client-config 0.9 pam and NSS profile switcher
ii libpam-ck-connector 0.4.1-3ubuntu1 ConsoleKit PAM module
ii libpam-ldap 184-8.2ubuntu1 Pluggable Authentication Module for LDAP
ii libpam-modules 1.1.1-2ubuntu5 Pluggable Authentication Modules for PAM
ii libpam-mount 1.32-2 PAM module that can mount volumes for a user session
ii libpam-runtime 1.1.1-2ubuntu5 Runtime support for the PAM library
ii libpam-smbpass 2:3.4.7~dfsg-1ubuntu3.3 pluggable authentication module for Samba
ii libpam0g 1.1.1-2ubuntu5 Pluggable Authentication Modules library
ii python-pam 0.4.2-12.1ubuntu1 A Python interface to the PAM library




  • Jan Engelhardt

    Jan Engelhardt - 2011-02-12
    • status: open --> pending-rejected
  • Jan Engelhardt

    Jan Engelhardt - 2011-02-12

    1. pam_mount already does that
    2. linux systems (not just pam_mount) do not distinguish between where a user is sourced from. If two objects have the same username, they are, in fact, the same user.

    >As you can see in the comments, when I was writing the script I forgot to add "echo $1" to the cut line.

    The mount program gets the password on stdin, and incorrectly processing that is not pam_mount's problem.

  • SourceForge Robot

    • status: pending-rejected --> closed-rejected
  • SourceForge Robot

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).


Log in to post a comment.