touch-packages team mailing list archive

Thread
Date

[Bug 1291661] Re: PAM misconfiguration for auditd results in audit trail loss

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Rolf Leggewie <1291661@xxxxxxxxxxxxxxxxxx>
Date: Fri, 05 Dec 2014 04:56:46 -0000
Reply-to: Bug 1291661 <1291661@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

quantal has seen the end of its life and is no longer receiving any
updates. Marking the quantal task for this ticket as "Won't Fix".

** Changed in: audit (Ubuntu Quantal)
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to audit in Ubuntu.
https://bugs.launchpad.net/bugs/1291661

Title:
  PAM misconfiguration for auditd results in audit trail loss

Status in audit package in Ubuntu:
  Fix Released
Status in audit source package in Precise:
  Incomplete
Status in audit source package in Quantal:
  Won't Fix

Bug description:
  The auditd package included in Debian Wheezy and Ubuntu 12.04 LTS (and
  probably other Debian and Ubuntu releases as well) adds
  pam_loginuid.so to the /etc/pam.d/common-session and /etc/pam.d
  /common-session-noninteractive PAM sub-configuration files.  These
  sub-configuration files are in turn included by reference in the
  /etc/pam.d/su and /etc/pam.d/sudo files.  This results in
  pam_loginuid.so being included when the user context is switched by
  running su or sudo.

  The man page for pam_loginuid, however, warns us not to do that, as
  this will cause the original user context to be lost in the audit logs
  (emphasis mine):

         The pam_loginuid module sets the loginuid process attribute for the process that was authenticated. This is necessary for applications to
         be correctly audited. This PAM module should only be used for entry point applications like: login, sshd, gdm, vsftpd, crond and atd. There
         are probably other entry point applications besides these. You should not use it for applications like sudo or su as that defeats the
         purpose by changing the loginuid to the account they just switched to.

  The fix, of course, is never to add pam_loginuid.so to any common PAM
  configuration file - or to exclude common-session and common-session-
  noninteractive from /etc/pam.d/su and /etc/pam.d/sudo, replacing it
  with the respective files' constituent lines, but without
  pam_loginuid.so.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1291661/+subscriptions