[xlockmore][PAM] Interest logs in debugging PAM
Tarc
tarc at tarc.po.cs.msu.su
Tue Jun 13 23:11:12 UTC 2006
On Tue, Jun 13, 2006 at 10:27:46PM +0400, Andrew Pantyukhin wrote:
> >It's not a good idea.
> >I use recently updated lockmore several years and I never
> >have any problems
>
> Well, we are serious about security issues. In these cases
> a couple of failures rule against a thousand of success
> stories. I'm sure over 99% of security advisories have never
> been exploited. Yet we avoid using software with security
> flaws.
>
> Так что вот так ;-)
>
Не, так не пойдет ;-)
*** DON'T KILL XLOCK WITH -KILL SIGNAL: after this your X11'll be unusable: Xlock will not restore ACL for your X11 DISPLAY ***
About BADPAM
------------
There is all good with security issues. You can see the xlock/passwd.c file and find there code, which works with PAM.
xlock returns EUID to real on any error.
About GL/MesaGL modes
---------------------
Please, try to run `xlock -nolock': xlock doesn't lock out your box with this switch.
Debuging PAM
------------
I done following and get out some interest debug info
0) echo MAKEOBJDIRPREFIX=/usr/obj >> /etc/make.conf
1) cd ${PORTSDIR}/x11/xlockmore && make config configure
*** I select WITH_PAM option to be on and BADPAM to be off ***
2) cd /usr/obj/`pwd`/work/xlockmore-5.22/xlock
3) apply following patch, go to ${PORTSDIR}/x11/xlockmore and say `make install'
*** This patch enables debug messages in OPENPAM library(FreeBSD it uses) ***
----%<-----debug.openpam.patch-
--- passwd.c.orig Thu Dec 15 15:39:51 2005
+++ passwd.c Wed Jun 14 02:20:22 2006
@@ -1165,6 +1165,7 @@
#else /* !DCE_PASSWD */
#ifdef USE_PAM
+ extern int _openpam_debug;
/*-
* Use PAM to do authentication. No session logging, only authentication.
* Bail out if there are any errors.
@@ -1191,6 +1192,7 @@
(void) seteuid(0); /* temporarily go to root so that pam can get shadow password */
#endif
#ifdef DEBUG
+ _openpam_debug = 1;
(void) printf("PAM: Before: UID (%d), EUID (%d)\n", getuid(), geteuid());
#endif
PAM_password = buffer;
---->%-----debug.openpam.patch-
4) Becouse I don't have NIS at all, contents of my /etc/nsswitch.conf follows:
*** system compilled & installed with WITHOUT_NIS option in /etc/src.conf ***
----%<-----nsswitch.conf-
group: files
hosts: files dns
networks: files
passwd: files
shells: files
services: files
protocols: files
rpc: files
---->%-----nsswitch.conf-
5) enable auth.debug logging by syslogd(8):
----%<-----syslog.conf.patch-
--- /usr/src/etc/syslog.conf Tue May 30 03:26:02 2006
+++ syslog.conf Wed Jun 14 01:51:08 2006
@@ -9,6 +9,7 @@
*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages
security.* /var/log/security
auth.info;authpriv.info /var/log/auth.log
+auth.* /var/log/auth.debug.log
mail.info /var/log/maillog
lpr.info /var/log/lpd-errs
ftp.info /var/log/xferlog
---->%-----syslog.conf.patch-
6) run xlock, type _any_ text as password and see in system log for auth.debug (in my case /var/log/auth.debug.log) following:
*** I killed xlock after "incorrect input". ***
----%<-----auth.debug.log-
Jun 14 02:20:38 tarc xlock[2424]: Start: tarc, tarc, :1.0
Jun 14 02:20:42 tarc xlock[2424]: in openpam_read_chain(): /etc/pam.d/xlock: No such file or directory
Jun 14 02:20:42 tarc xlock[2424]: in openpam_read_chain(): /etc/pam.conf: No such file or directory
Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_unix.so: pam_sm_open_session(): Undefined symbol "pam_sm_open_session"
Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_unix.so: pam_sm_close_session(): Undefined symbol "pam_sm_close_session"
Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): using dynamic pam_unix.so
Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): adding pam_unix.so to cache
Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): using dynamic pam_echo.so
Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): adding pam_echo.so to cache
Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_login_access.so: pam_sm_authenticate(): Undefined symbol "pam_sm_authenticate"
Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_login_access.so: pam_sm_setcred(): Undefined symbol "pam_sm_setcred"
Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_login_access.so: pam_sm_open_session(): Undefined symbol "pam_sm_open_session"
Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_login_access.so: pam_sm_close_session(): Undefined symbol "pam_sm_close_session"
Jun 14 02:20:42 tarc xlock[2424]: in openpam_dynamic(): pam_login_access.so: pam_sm_chauthtok(): Undefined symbol "pam_sm_chauthtok"
Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): using dynamic pam_login_access.so
Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): adding pam_login_access.so to cache
Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): using dynamic pam_permit.so
Jun 14 02:20:42 tarc xlock[2424]: in openpam_load_module(): adding pam_permit.so to cache
Jun 14 02:20:42 tarc xlock[2424]: in pam_start(): pam_start("xlock") succeeded
Jun 14 02:20:42 tarc xlock[2424]: in pam_sm_authenticate(): Got user: tarc
Jun 14 02:20:42 tarc xlock[2424]: in pam_sm_authenticate(): Doing real authentication
Jun 14 02:20:42 tarc xlock[2424]: in pam_sm_authenticate(): Got password
Jun 14 02:20:46 tarc xlock[2424]: in openpam_dispatch(): required module failed
Jun 14 02:20:50 tarc xlock[2424]: in pam_sm_authenticate(): Got user: root
Jun 14 02:20:50 tarc xlock[2424]: in pam_sm_authenticate(): Doing real authentication
Jun 14 02:20:50 tarc xlock[2424]: in pam_sm_authenticate(): Got password
Jun 14 02:20:54 tarc xlock[2424]: in openpam_dispatch(): required module failed
Jun 14 02:20:58 tarc xlock[2424]: in openpam_release_module(): releasing pam_echo.so
Jun 14 02:20:58 tarc xlock[2424]: in openpam_release_module(): releasing pam_unix.so
Jun 14 02:20:58 tarc xlock[2424]: in openpam_release_module(): releasing pam_login_access.so
Jun 14 02:20:58 tarc xlock[2424]: in openpam_release_module(): releasing pam_permit.so
Jun 14 02:20:58 tarc xlock[2424]: xlock: failed unlock attempt on user tarc
Jun 14 02:20:58 tarc xlock[2424]: Access control list restored. xlock: caught signal 15 while running qix mode (uid 1001).
Jun 14 02:20:58 tarc xlock[2424]: Stop: tarc, tarc, :1.0, 0m 20s
---->%-----auth.debug.log-
What does it mean? It mean, that in FreeBSD BADPAM needed. IMHO
--
Best regards,
Arseny Nasokin
More information about the freebsd-ports
mailing list