← Back to team overview

sts-sponsors team mailing list archive

  1. sts-sponsors team
  2. Mailing list archive
  3. Message #01087

[Bug 1666203] [NEW] pam_tty_audit failed in pam_open_session

  Thread PreviousDate PreviousThread Next 
You have been subscribed to a public bug by Eric Desrochers (slashd):

[Impact]

 * Kernel keystroke auditing via pam_tty_audit.so not working

 * When Using the pam_tty_audit with other pam modules(ex, pam_ldap), it failed in pam_open_session.
   It was triggared by use uninitialized variable in pam_tty_audit.c::pam_open_session.

[Test Case]

1) Open a shell & escalate to root
2) Update /etc/pam.d/common-session & /etc/pam.d/common-session-noninteractive and add the following line directly after the line: "session required pam_unix.so":
"session required pam_tty_audit.so enable=*"

3) Start a second new shell session on the box and type a variety of commands
4) Exit the second shell session to flush the buffer?
5) In the root shell run "aureport -tty -i". The output should show the commands run in the other shell.

[Regression Potential]

 * Low, we are simply including the missing header file and copy the old
status as initialization of new. The fix is already found/part of Debian
and Disco.

[Other Info]

# Upstream fix:
https://github.com/linux-pam/linux-pam/commit/c5f829931a22c65feffee16570efdae036524bee

# git describe --contains c5f829931a22c65feffee16570efdae036524bee
Linux-PAM-1_2_0~75

# rmadision pam
=>  pam | 1.1.8-1ubuntu2.2   | trusty-updates   | source
=>  pam | 1.1.8-3.2ubuntu2   | xenial           | source
=>  pam | 1.1.8-3.2ubuntu2.1 | xenial-updates   | source
=>  pam | 1.1.8-3.6ubuntu2   | bionic           | source
=>  pam | 1.1.8-3.6ubuntu2   | cosmic           | source
    pam | 1.3.1-5ubuntu1     | disco            | source

[Original Description]

Dear Maintainer.

I found a bug in pam_tty_audit.
When Using the pam_tty_audit with other pam modules(ex, pam_ldap), it failed in pam_open_session.
It was triggared by use uninitialized variable in pam_tty_audit.c::pam_open_session.

* Enviroments
Ubuntu 14.04.4 LTS
linux-image-3.16.0-71-generic    3.16.0-71.92~14.04.1
libpam-ldap:amd64    184-8.5ubuntu3
libpam-modules:amd64    1.1.8-1ubuntu2.2

Ubuntu 16.04.2 TLS
linux-image-4.4.0-62-generic    4.4.0-62.83
libpam-ldap:amd64    184-8.7ubuntu1
libpam-modules:amd64    1.1.8-3.2ubuntu2

* Reproduction method
1. Install libpam-ldap.
2. Add the following to the end of /etc/pam.d/common-sessions
--------
session required pam_tty_audit.so enable=* open_only
--------
3. When logging in with ssh etc., pam_tty_audit will fail and login fails

* Solution (== 2018/04/16 Link updated ==)
apply upstream patch
https://github.com/linux-pam/linux-pam/commit/c5f829931a22c65feffee16570efdae036524bee

* Logs (on Ubuntu14.04)
-- auth.log --
May 18 14:47:03 vm sshd[2272]: Accepted publickey for test from 10.99.0.1 port 51398 ssh2: RSA 8f:39:1c:3a:f4:9d:ca:99:67:fc:e3:fd:1e:0c:5b:a8
May 18 14:47:03 vm sshd[2272]: pam_unix(sshd:session): session opened for user test by (uid=0)
May 18 14:47:03 vm sshd[2272]: pam_tty_audit(sshd:session): error setting current audit status: Invalid argument
May 18 14:47:03 vm sshd[2272]: error: PAM: pam_open_session(): Cannot make/remove an entry for the specified session
May 18 14:47:03 vm sshd[2297]: Received disconnect from 10.99.0.1: 11: disconnected by user

-- syslog --
May 18 14:47:03 vm audispd: node=vm type=USER_ACCT msg=audit(1463550423.399:58): pid=2272 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success'
May 18 14:47:03 vm audispd: node=vm type=CRED_ACQ msg=audit(1463550423.403:59): pid=2272 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success'
May 18 14:47:03 vm audispd: node=vm type=LOGIN msg=audit(1463550423.403:60): pid=2272 uid=0 old-auid=4294967295 auid=20299 old-ses=4294967295 ses=3 res=1
May 18 14:47:03 vm audispd: node=vm type=CONFIG_CHANGE msg=audit(1463550423.403:61): pid=2272 uid=0 auid=20299 ses=3 op=tty_set old-enabled=0 new-enabled=1 old-log_passwd=0 new-log_passwd=32743 res=0
May 18 14:47:03 vm audispd: node=vm type=USER_START msg=audit(1463550423.447:62): pid=2272 uid=0 auid=20299 ses=3 msg='op=PAM:session_open acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=failed'
May 18 14:47:03 vm audispd: node=vm type=CRED_ACQ msg=audit(1463550423.447:63): pid=2297 uid=0 auid=20299 ses=3 msg='op=PAM:setcred acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success'
May 18 14:47:03 vm audispd: node=vm type=CRED_DISP msg=audit(1463550423.451:64): pid=2272 uid=0 auid=20299 ses=3 msg='op=PAM:setcred acct="test" exe="/usr/sbin/sshd" hostname=10.99.0.1 addr=10.99.0.1 terminal=ssh res=success'

Thanks regards.

** Affects: pam (Ubuntu)
     Importance: Medium
     Assignee: Don van der Haghen (donvdh)
         Status: Fix Released

** Affects: pam (Ubuntu Xenial)
     Importance: High
     Assignee: Don van der Haghen (donvdh)
         Status: In Progress

** Affects: pam (Ubuntu Bionic)
     Importance: Medium
     Assignee: Eric Desrochers (slashd)
         Status: Fix Committed

** Affects: pam (Ubuntu Cosmic)
     Importance: Medium
     Assignee: Eric Desrochers (slashd)
         Status: Fix Committed

** Affects: pam (Debian)
     Importance: Unknown
         Status: Fix Released


** Tags: bionic cosmic disco patch sts trusty verification-done-bionic verification-done-cosmic verification-needed xenial
-- 
pam_tty_audit failed in pam_open_session
https://bugs.launchpad.net/bugs/1666203
You received this bug notification because you are a member of STS Sponsors, which is subscribed to the bug report.
  Thread PreviousDate PreviousThread Next