#90 Security Bug?

pam_mount
closed-rejected
pam_mount (94)
5
2011-02-26
2011-02-12
No

Hi I am fairly new to these stuff so I don't know if this is actually pam_mount bug or pam...

- Intro

I manage a lab. in my uni. so I needed to setup LDAP based authentication with SAMBA mounted home directories. The default behavior of pam_mount + smbmount couldn't do my job so I wrote a script (mysmbmount.sh) to do the job. This does the following 2 things:

1) check that home directory is not all ready mounted
2) check that the user is not local one (I support both local and LDAP users with the same username...)

- THE PROBLEM

My pam_mount config includes the following:

<smbmount>mysmbmount.sh //%(SERVER)/%(VOLUME) %(MNTPT) -o "users,username=%(USER)%(before=\",\" OPTIONS)"</smbmount>

<volume fstype="smbfs" server="neminas" path="%(USER)" mountpoint="~" options="users" />

Now my script follows:

#!/bin/bash

# Check that the home is not already mounted
res=`mount | grep "$1"`

if [ "$res" != "" ]; then
exit 0;
fi

# Check that the user is NOT local
# (if it is local and we mount the remote home
# we have no permissions to the home...)
#
# SECURITY BUG:
# The following results to the user password ???!!!
#user=`cut -d' ' -f1`

user=`echo "$1" | cut -d'/' -f4`
res=`cat /etc/passwd | grep "$user"`

if [ "$res" != "" ]; then
exit 0;
fi

smbmount $@

exit 0;

As you can see in the comments, when I was writing the script I forgot to add "echo $1" to the cut line. The cut though command alone produces output!!? And it is not random, it is the user's _password_ clear text. To test it add "echo $user > /tmp/test" and when you are in cat test file... Also the delimiter does not matter...

I cannot understand what is been cut? and I am not sure that this is a bug... but it seems weird to me to be able to have all my user's clear text passwords (seems like a flow in the pam stuff)

- Some more info:

urban@mig-manager:~$ cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=10.04
DISTRIB_CODENAME=lucid
DISTRIB_DESCRIPTION="Ubuntu 10.04.1 LTS"

urban@mig-manager:~$ uname -a
Linux mig-manager 2.6.32-27-server #49-Ubuntu SMP Thu Dec 2 02:05:21 UTC 2010 x86_64 GNU/Linux

urban@mig-manager:~$ dpkg -l | grep pam
ii auth-client-config 0.9 pam and NSS profile switcher
ii libpam-ck-connector 0.4.1-3ubuntu1 ConsoleKit PAM module
ii libpam-ldap 184-8.2ubuntu1 Pluggable Authentication Module for LDAP
ii libpam-modules 1.1.1-2ubuntu5 Pluggable Authentication Modules for PAM
ii libpam-mount 1.32-2 PAM module that can mount volumes for a user session
ii libpam-runtime 1.1.1-2ubuntu5 Runtime support for the PAM library
ii libpam-smbpass 2:3.4.7~dfsg-1ubuntu3.3 pluggable authentication module for Samba
ii libpam0g 1.1.1-2ubuntu5 Pluggable Authentication Modules library
ii python-pam 0.4.2-12.1ubuntu1 A Python interface to the PAM library

Regards,

Andreas

Discussion

  • Jan Engelhardt

    Jan Engelhardt - 2011-02-12
    • status: open --> pending-rejected
     
  • Jan Engelhardt

    Jan Engelhardt - 2011-02-12

    1. pam_mount already does that
    2. linux systems (not just pam_mount) do not distinguish between where a user is sourced from. If two objects have the same username, they are, in fact, the same user.

    >As you can see in the comments, when I was writing the script I forgot to add "echo $1" to the cut line.

    The mount program gets the password on stdin, and incorrectly processing that is not pam_mount's problem.

     
  • SourceForge Robot

    • status: pending-rejected --> closed-rejected
     
  • SourceForge Robot

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     

Log in to post a comment.