← Back to team overview

debcrafters-packages team mailing list archive

  1. debcrafters-packages team
  2. Mailing list archive
  3. Message #08329

[Bug 2125907] [NEW] pam_exec.so : inconsistent privilege between login and session unlock

  Thread PreviousDate PreviousThread Next 
Public bug reported:

To reproduce the bug:
In `/etc/pam.d/common-auth`, add the following line after successful authentication:
```
auth    optional    pam_exec.so /usr/local/bin/log-wtmp.sh
```

Create the file `/usr/local/bin/log-wtmp.sh` (as below) with permission 755; create the empty log file `/tmp/wtmp.log` with permission 666
```
#!/bin/bash

date --iso-8601=seconds >>/tmp/wtmp.log
id >>/tmp/wtmp.log
/usr/local/bin/log-wtmp
```

Create the program `/usr/local/bin/log-wtmp` with SUID bit set, it can
touch /var/log/wtmp (or do anything logging with root privilege).


The buggy behaviour:
No matter whether `seteuid` is set: during a session login, appending to `/tmp/wtmp.log` fails, but `/usr/local/bin/log-wtmp` succeeds; during a session unlock, appending to `/tmp/wtmp.log` succeeds, but `/usr/local/bin/log-wtmp` fails.

This happens on at least the latest Ubuntu 22.04 (presumably on Ubuntu
24 as well).

Somehow, the SUID escalation will also fail.

** Affects: pam (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/2125907

Title:
  pam_exec.so : inconsistent privilege between login and session unlock

Status in pam package in Ubuntu:
  New

Bug description:
  To reproduce the bug:
  In `/etc/pam.d/common-auth`, add the following line after successful authentication:
  ```
  auth    optional    pam_exec.so /usr/local/bin/log-wtmp.sh
  ```

  Create the file `/usr/local/bin/log-wtmp.sh` (as below) with permission 755; create the empty log file `/tmp/wtmp.log` with permission 666
  ```
  #!/bin/bash

  date --iso-8601=seconds >>/tmp/wtmp.log
  id >>/tmp/wtmp.log
  /usr/local/bin/log-wtmp
  ```

  Create the program `/usr/local/bin/log-wtmp` with SUID bit set, it can
  touch /var/log/wtmp (or do anything logging with root privilege).


  
  The buggy behaviour:
  No matter whether `seteuid` is set: during a session login, appending to `/tmp/wtmp.log` fails, but `/usr/local/bin/log-wtmp` succeeds; during a session unlock, appending to `/tmp/wtmp.log` succeeds, but `/usr/local/bin/log-wtmp` fails.

  This happens on at least the latest Ubuntu 22.04 (presumably on Ubuntu
  24 as well).

  Somehow, the SUID escalation will also fail.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/2125907/+subscriptions
  Thread PreviousDate PreviousThread Next