Comments (8)
Hey, thanks for the report.
The first part is expected behavior I would say. Since you specified required
rather than requisite
the authentication won't fail right away, but if you continue the process by typing in your password you will eventually get a failure.
The second part is indeed an issue. I've pushed some code to fix that.
There is now an additional check that makes sure that the authentication file is owned either by the target user or by root.
I believe this is the best solution. I'll be making a new release later this afternoon/tomorrow and will also publish a security advisory.
Comments are welcome.
A.
from pam-u2f.
I don't think this is the right solution.
You are still allowing the environment variable to cross the security boundary, between the unauthenticated user and the privileged authentication code (*). You're probably looking for secure_getenv(3), it is designed for such uses.
(*) It is relatively easy to construct scenarios where this check can be circumvented. For example, let's say that the root user creates an example file anywhere, owned by root. Then you can create the right directory structure, and symlink to this file in the right place, and set the variable. Now this file will be used to authenticate the root user. This also applies to backups, the user renaming a file to provide a new one, etc, etc. In each of those cases, this new check can be circumvented.
from pam-u2f.
The reason why I don't like secure_getenv is that it's GNU specific.
I'm not sure I follow your example with the symlink, the content of the file is still written by root, the pam module configuration file is written and owned by root. You would have to have a valid file, owned by root in a path where your user has write access. Probably I'm not getting your example correctly.
Anyway, symlink can be disabled.
A.
from pam-u2f.
The reason why I don't like secure_getenv is that it's GNU specific.
You can reimplement a fallback if it is not available. It's not terribly sophisticated.
I'm not sure I follow your example with the symlink
The way I understand the "promise" from the u2f pam module is that "the file /root/Yubico/u2f_keys" will be used to authenticate for the root user. If a user can convince the module to use any other file the promise is broken.
Specifically: root looses his dongle, moves /root/Yubico/u2f_keys → /root/Yubico/u2f_keys.bad, and creates new /root/Yubico/u2f_keys file. Eve finds the old dongle, can authenticate by specifying doing mkdir /tmp/Yubico && ln -s /root/Yubico/u2f_keys.bad /tmp/Yibico/u2f_keys && XDG_CONFIG_HOME=/tmp su -
. A different example: user is allow to automount a cdrom. The cdrom is mounted nosuid so it shouldn't be usable for privilege escalation. Eve inserts a cdrom with root owned u2f_keys file and the right directory structure, repeat of story. You can try playing whack-a-mole with checking permissions but it's a lost cause.
from pam-u2f.
True about implementing a replacement.
As for the examples they look pretty crafted to me, it's like saying that Eve can login as root because she has found a readable file with the plain-text password.
On top of that it seems to me that stripping away the possibility of following symlinks handles these cases.
Mounting another file-system is something that only root is allowed to do, including automounts since root owns /etc/fstab.
I don't think this is a whack-a-mole game, but a matter of defining all the correct cases and addressing them.
And if at some point we can't find a reasonable solution to address the problem I think the better solution is to remove the functionality altogether.
from pam-u2f.
All modern desktops allow uses to mount filesystems from insertable media (usb keys, cdroms, phones, cards). At that point you don't need symlinks to mount an attack.
And if at some point we can't find a reasonable solution to address the problem I think the better solution is to remove the functionality altogether.
Certainly removing this feature is better than doing nothing.
from pam-u2f.
Pushed new code using secure_getenv where available and doing nothing otherwise.
As always comments are welcome.
from pam-u2f.
Bug seems to be resolved with the patches, $XDG_CONFIG_HOME is ignored.
Thanks.
from pam-u2f.
Related Issues (20)
- Found 0 device(s) for user XXXX HOT 1
- Entries order in u2f_keys + feature request HOT 4
- libfido2 debug output is written to stderr HOT 1
- install on peppermint os HOT 1
- Pamu2f doesn't fallback to PIN when blocking the Yubikey by touching it wrong more than 3 times HOT 2
- pamu2fcfg arbitrarily decides whether to ask for PIN or not. HOT 4
- Question: is it possible to Skip u2f login without unplugging the FIDO device? HOT 5
- Can only authenticate when using PIN verification HOT 4
- Idea: use hmac-secret to hook into the keyrings and open them (like when using pw) HOT 3
- Mooltipass Mini BLE: FIDO_ERR_INVALID_ARGUMENT HOT 12
- libpam-u2f and ubuntu 22.04 error: yubico ubuntu login segmentation fault (core dumped) HOT 1
- More descriptive error messages HOT 8
- Nitrokey U2F doesn't work together with Nitrokey 3A/C HOT 6
- Having U2F key inserted on startup breaks GNOME password login until restart HOT 1
- pam-u2f saying that my token doesn't have a pin even so a pin is set. HOT 2
- [RFE] Allow comments in authorization mapping file
- Log keyhandle on auth attempt HOT 2
- Relaxed auth file parsing
- GDM login takes two minutes for U2F cue to appear on device after password entry HOT 18
- Timestamp debug logs HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pam-u2f.