7051593 2001-09-06 00:37 +0300 /32 rader/ Tarhon-Onu Victor <mituc@iasi.rdsnet.ro> Sänt av: joel@lysator.liu.se Importerad: 2001-09-06 00:49 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19083> Ärende: pam limits drops privileges ------------------------------------------------------------ From: Tarhon-Onu Victor <mituc@iasi.rdsnet.ro> To: <bugtraq@securityfocus.com> Message-ID: <Pine.LNX.4.33.0109052356560.13610-100000@blackblue.iasi.rdsnet.ro> Tested with: RedHat Linux pam-0.74-22, pam-0.75-7, util-linux-2.10s, util-linux-2.10s-12, in any combination. Posted on: Bugzilla and Pam-Bugs. Distribution dependent: dunno, but I think it's a pam bug. Problem description: If there are any limits set for a group of users then those users, logging in by any method using /bin/login (console login, telnet, etc) can get privileges of the last user last logged in via ssh (we're using openssh). How to reproduce: # groupadd testgroup # useradd testuser -g testgroup # echo '@testgroup - maxlogins 2' ssh (let's say) as root into your box, then telnet into it and login as testuser... and enjoy. I think this is a big problem because It's difficult to manage a >200 users system without group/user limits. -- Tarhon-Onu Victor Network and System Engineer RDS Iasi - Network Operations Center Phone: +40-32-218385 (7051593) /Tarhon-Onu Victor <mituc@iasi.rdsnet.ro>/ 7056562 2001-09-05 23:16 -0500 /23 rader/ Chris Adams <cmadams@hiwaay.net> Sänt av: joel@lysator.liu.se Importerad: 2001-09-06 18:03 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19087> Kommentar till text 7051593 av Tarhon-Onu Victor <mituc@iasi.rdsnet.ro> Ärende: Re: pam limits drops privileges ------------------------------------------------------------ From: Chris Adams <cmadams@hiwaay.net> To: bugtraq@securityfocus.com Message-ID: <20010905231605.B29739@HiWAAY.net> Once upon a time, Tarhon-Onu Victor <mituc@iasi.rdsnet.ro> said: > Tested with: RedHat Linux > pam-0.74-22, pam-0.75-7, util-linux-2.10s, > util-linux-2.10s-12, in any combination. > Posted on: Bugzilla and Pam-Bugs. > Distribution dependent: dunno, but I think it's a pam bug. I've tried this on Red Hat Linux 7.1 with pam-0.74-22, util-linux-2.10s-12 (which I then noticed has been updated with 2.10s-13.7, so I also checked that), and openssh-2.5.2p2-5. I was unable to duplicate this. What is the RH Bugzilla ID#? -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. (7056562) /Chris Adams <cmadams@hiwaay.net>/-------- 7063224 2001-09-06 16:39 +0300 /48 rader/ Tarhon-Onu Victor <mituc@iasi.rdsnet.ro> Sänt av: joel@lysator.liu.se Importerad: 2001-09-07 18:22 av Brevbäraren Extern mottagare: Lukasz Trabinski <lukasz@lt.wsisiz.edu.pl> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19106> Ärende: Re: pam limits drops privileges ------------------------------------------------------------ From: Tarhon-Onu Victor <mituc@iasi.rdsnet.ro> To: Lukasz Trabinski <lukasz@lt.wsisiz.edu.pl> Cc: <bugtraq@securityfocus.com> Message-ID: <Pine.LNX.4.33.0109061627310.19327-100000@blackblue.iasi.rdsnet.ro> On Thu, 6 Sep 2001, Lukasz Trabinski wrote: > Password: > Too many logins for 'test'. First of all kill all the processes owned by test. Then let's make it step by step: # groupadd testgroup # useradd -g testgroup testuser # echo '@testgroup - maxlogins 3'>>/etc/security/limits.conf # ssh pulea@localhost pulea@localhost's password: Last login: Thu Sep 6 16:30:16 2001 from localhost.localdomain blackblue (pulea):~>telnet 0 -l testuser Trying 0.0.0.0... Connected to 0. Escape character is '^]'. Password: Last login: Thu Sep 6 16:32:33 from localhost.localdomain blackblue (pulea):~>id uid=504(pulea) gid=100(users) groups=508(testgroup) blackblue (pulea):~>id testuser uid=508(testuser) gid=508(testgroup) groups=508(testgroup) Syslog messages: Sep 6 16:33:30 blackblue pam_limits[19558]: checking if testuser is in group testgroup Sep 6 16:33:30 blackblue -- testuser[19558]: LOGIN ON pts/1 BY pulea FROM localhost.localdomain You will obtain same results (logging in as testuser you will get pulea's shell) logging from console as testuser. -- Tarhon-Onu Victor Network and System Engineer RDS Iasi - Network Operations Center Phone: +40-32-218385 (7063224) /Tarhon-Onu Victor <mituc@iasi.rdsnet.ro>/(Ombruten) 7063226 2001-09-06 10:27 +0200 /47 rader/ Lukasz Trabinski <lukasz@lt.wsisiz.edu.pl> Sänt av: joel@lysator.liu.se Importerad: 2001-09-07 18:23 av Brevbäraren Extern mottagare: Tarhon-Onu Victor <mituc@iasi.rdsnet.ro> Extern kopiemottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19107> Ärende: Re: pam limits drops privileges ------------------------------------------------------------ From: Lukasz Trabinski <lukasz@lt.wsisiz.edu.pl> To: Tarhon-Onu Victor <mituc@iasi.rdsnet.ro> Cc: <bugtraq@securityfocus.com> Message-ID: <Pine.LNX.4.33.0109061018020.1365-100000@lt.wsisiz.edu.pl> On Thu, 6 Sep 2001, Tarhon-Onu Victor wrote: > > ssh into your box as any user then telnet into it as user test, or > login as test from the console. On console (tty5) after login tree times as test by ssh: lt login: test Password: Too many logins for 'test'. In logs files: Sep 6 10:18:57 lt pam_limits[1451]: Too many logins (max 2) for test Sep 6 10:18:59 lt login(pam_unix)[1451]: session opened for user test by LOGIN(uid=0) Sep 6 10:18:59 lt pam_limits[1451]: Too many logins (max 2) for test Sep 6 10:19:01 lt login[1451]: Permission denied By telnet: lt:~$ telnet lt Trying 213.135.44.150... Connected to lt. Escape character is '^]'. Linux 2.4.9 (lt.wsisiz.edu.pl) (10:22 on Thursday, 06 September 2001) login: test Password: Too many logins for 'test'. Too many logins for 'test'. Permission denied Connection closed by foreign host. -- *[ £ukasz Tr±biñski ]* SysAdmin @wsisiz.edu.pl (7063226) /Lukasz Trabinski <lukasz@lt.wsisiz.edu.pl>/(Ombruten)