Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#67934 - [pambase] PAM configuration allows bypassing account/password expiration checks

Attached to Project: Arch Linux
Opened by Emanuele Giacomelli (manuelino) - Friday, 18 September 2020, 18:32 GMT
Last edited by freswa (frederik) - Friday, 18 September 2020, 22:29 GMT
Task Type Bug Report
Category Security
Status Closed
Assigned To No-one
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No



The default PAM configuration for system-auth allows bypassing checks for password and account expiration.

In /etc/pam.d/system-auth, there are the following configuration lines for the account service type:

-account [success=1 default=ignore]
account required
account optional
account required

which means that, for accounts that are managed by systemd-homed, the usual account checks enforced
by are skipped.

The problem is, returns OK even for accounts _not_ managed by systemd-homed.
When logging in with such an account, is systematically skipped from account
processing. The result is that no one ever checks password and account aging information,
allowing users with an expired password or account to login as long as the password is correct.

If this line:

-account [success=1 default=ignore]

is commented or moved after, account checks against /etc/shadow aging info are
performed normally.

Additional info:
* package version(s)
pambase 20200721.1-2

* config and/or log files etc.
the default /etc/pam.d/system-auth stored in pambase

Steps to reproduce:

* create a test account and set its expiration date in the past:

useradd -e 2020-01-01 -m test
passwd test # Choose a password
chage -l test # Confirm that account expiration date is in the past

* switch to a VT and try to login with test. This should not be allowed, given the
account is expired, but works nonetheless.

* Now edit /etc/pam.d/system-auth and comment the offending line;

* switch to a VT and try to login with test. This time it fails as expected.
This task depends upon

Closed by  freswa (frederik)
Friday, 18 September 2020, 22:29 GMT
Reason for closing:  Duplicate
Additional comments about closing:  FS#65819
Comment by loqs (loqs) - Friday, 18 September 2020, 19:04 GMT