System authentication fails when using a tied account
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenVista/GT.M Integration |
Fix Released
|
High
|
jeff.apple |
Bug Description
Users with programmer mode can execute Linux commands. To protect the system from tied account users, we prompt users for their Linux username and password before allowing them access to programmer mode, even if they hold the programmer mode key.
This worked in our development environments, and even our QA environments which use LDAP authentication. However, on systems that use normal shadow authentication, /sbin/unix_chkpwd prevents the unprivileged Linux tied account ("openvista") from checking passwords of any other Linux user (e.g., "bob"). According to the man page, this is by design - unix_chkpwd only allows users to check their own password. Otherwise, anyone on the system could use it to brute force other users' passwords.
Ideally, we would address this by modifying the PAM configuration or the openvista.dopam() call such that processes running as the openvista Linux user (the tied account) can check the passwords of users in the openvista group, but failures will incur a delay (to protect against brute forcing). For all other users (except root, obviously), the current behavior is fine.
Related branches
- OpenVista/GT.M Integration Team: Pending requested
- Diff: None lines
Changed in openvista-gtm-integration: | |
importance: | Undecided → High |
milestone: | none → phase1-beta |
status: | New → Confirmed |
description: | updated |
description: | updated |
Changed in openvista-gtm-integration: | |
assignee: | nobody → jeff.apple (jeff-apple) |
Changed in openvista-gtm-integration: | |
status: | Confirmed → Fix Committed |
Changed in openvista-gtm-integration: | |
status: | Fix Committed → Fix Released |
Here's a bug report where someone essentially runs into the same problem, but it's Exim instead of OpenVista that is running as a regular user (uid = 93) and trying to check other users' passwords.
https:/ /bugzilla. redhat. com/show_ bug.cgi? id=449256