ports/181525: ports/i3lock don't check the password

Gerhard Brauer gb+ML-2011 at derbrauer.homelinux.net
Sun Aug 25 13:30:01 UTC 2013 

>Number:         181525
>Category:       ports
>Synopsis:       ports/i3lock don't check the password
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Aug 25 13:30:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator:     Gerhard Brauer
>Release:        9.1-RELEASE
>Organization:
>Environment:
FreeBSD ws01 9.1-RELEASE-p6 FreeBSD 9.1-RELEASE-p6 #0: Wed Aug 21 20:40:52 UTC 2013     root at amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
i3lock 2.5

i3lock screenlocker could be unlocked after installation with any phrase. One "anykey" is enough to unlock.

After discussion on german freebsd mailing list we found the reason(s):
i3lock uses PAM to get authorization. It uses "auth include login" PAM modul, which itself uses pam_self. pam_self leads to the behavior that any phrase could do the unlock cause pam_self give login permission if the calling process comes from the same UID - regardless of the submitted passphrase. With pam_self als "sufficent modul" a user could authenticate itself without his/her password.

Using PAM modul "auth include system" disable this - more or less lightly - security hole, but the user could never authenticate itself, also with the correct password. This reason is that only root have access to verify the crypted passwords.
So i3lock binary needs also setuid bit flagged. Other screen locker/saver have this also set, from the same reasons.

With current default settings i3lock under FreeBSD is useless and maybe a security problem if the user don't pay attention on above.
>How-To-Repeat:
Build and install i3lock, use it as a user:
a)
%i3lock

(Any phrase could do the unlock)

>Fix:
/usr/local/etc/pam.d/i3lock:
- auth include login
+ auth include system

chmod 4111 /usr/local/bin/i3lock
(slock port do for example the same during with install script)


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list