Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1004472: groupmem: make authentification clear and check interaction with PAM
23 views
Skip to first unread message
Markus Hiereth
Jan 28, 2022, 5:40:03 AM1/28/22
to
Package: passwd
Version: 1:4.8.1-1
Severity: normal
Dear Maintainer,
* What led up to the situation?
Checks made for translation of man 8 groupmems
* What exactly did you do (or not do) that was effective (or
ineffective)?
Try to invoke groupmems as user and as systemadministrator
* What was the outcome of this action?
groupmems asked in both cases for authentification by a password, but does not specify which password is expected. There are three possibilies
a) root password from root (however, this does not make much sense)
b) user password for group-owning user (however, this does not make much sense)
c) the group's password
In all cases, I got a PAM authentification failure
* What outcome did you expect instead?
A snippet from the logfile is attached
Best regards
Markus
-- System Information:
Debian Release: 11.1
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 5.10.0-9-686-pae (SMP w/1 CPU thread)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages passwd depends on:
ii libaudit1 1:3.0-2
ii libc6 2.32-4
ii libcrypt1 1:4.4.18-4
ii libpam-modules 1.4.0-9+deb11u1
ii libpam0g 1.4.0-9+deb11u1
ii libselinux1 3.1-3
ii libsemanage1 3.1-1+b2
passwd recommends no packages.
passwd suggests no packages.
-- Configuration Files:
/etc/default/useradd [Errno 13] Keine Berechtigung: '/etc/default/useradd'
-- no debconf information
Version: 1:4.8.1-1
Severity: normal
Dear Maintainer,
* What led up to the situation?
Checks made for translation of man 8 groupmems
* What exactly did you do (or not do) that was effective (or
ineffective)?
Try to invoke groupmems as user and as systemadministrator
* What was the outcome of this action?
groupmems asked in both cases for authentification by a password, but does not specify which password is expected. There are three possibilies
a) root password from root (however, this does not make much sense)
b) user password for group-owning user (however, this does not make much sense)
c) the group's password
In all cases, I got a PAM authentification failure
* What outcome did you expect instead?
A snippet from the logfile is attached
Best regards
Markus
-- System Information:
Debian Release: 11.1
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 5.10.0-9-686-pae (SMP w/1 CPU thread)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages passwd depends on:
ii libaudit1 1:3.0-2
ii libc6 2.32-4
ii libcrypt1 1:4.4.18-4
ii libpam-modules 1.4.0-9+deb11u1
ii libpam0g 1.4.0-9+deb11u1
ii libselinux1 3.1-3
ii libsemanage1 3.1-1+b2
passwd recommends no packages.
passwd suggests no packages.
-- Configuration Files:
/etc/default/useradd [Errno 13] Keine Berechtigung: '/etc/default/useradd'
-- no debconf information
Markus Hiereth
Jan 28, 2022, 6:50:03 AM1/28/22
to
Dear Maintainer,
the previously reported p
roblem is quite probable due to fact that the setup instruction on groupmems hadn't be performs.
This was done meanwhile.
But groupmem still does not work, see console logs
# system configuration
root@lune:/etc# grep tester2 group
[?2004l tester2:x:1001:
groups:x:998:tester2
[?2004hroot@lune:/etc# grep tester2 gshadow
[?2004l tester2:$6$7Y4UXOMu5WCPrn$DhOnnmrdihmp5g9AytktPyuF.kvAsMgL38Syx26tgBEcHF7xUyusX0T92wJYXa1TuRiZFul6VYdLJrG85yJWF/::
groups:!::tester2
[?2004hroot@lune:/etc# grep groups group
[?2004l groups:x:998:tester2
[?2004hroot@lune:/etc# grep groups gshadow
[?2004l groups:!::tester2
[?2004hroot@lune:/etc# ls -l /usr/sbin/groupmems
[?2004l -rwx--s--- 1 root groups 66104 7. Feb 2020 /usr/sbin/groupmems
# trial to use groupmems
[?2004htester2@lune:~$ /usr/sbin/groupmems -l
[?2004l bash: /usr/sbin/groupmems: Keine Berechtigung
[?2004htester2@lune:~$ /usr/sbin/groupmems -l [Ka tester1 tester2
[?2004l bash: /usr/sbin/groupmems: Keine Berechtigung
the previously reported p
roblem is quite probable due to fact that the setup instruction on groupmems hadn't be performs.
This was done meanwhile.
But groupmem still does not work, see console logs
# system configuration
root@lune:/etc# grep tester2 group
[?2004l tester2:x:1001:
groups:x:998:tester2
[?2004hroot@lune:/etc# grep tester2 gshadow
[?2004l tester2:$6$7Y4UXOMu5WCPrn$DhOnnmrdihmp5g9AytktPyuF.kvAsMgL38Syx26tgBEcHF7xUyusX0T92wJYXa1TuRiZFul6VYdLJrG85yJWF/::
groups:!::tester2
[?2004hroot@lune:/etc# grep groups group
[?2004l groups:x:998:tester2
[?2004hroot@lune:/etc# grep groups gshadow
[?2004l groups:!::tester2
[?2004hroot@lune:/etc# ls -l /usr/sbin/groupmems
[?2004l -rwx--s--- 1 root groups 66104 7. Feb 2020 /usr/sbin/groupmems
# trial to use groupmems
[?2004htester2@lune:~$ /usr/sbin/groupmems -l
[?2004l bash: /usr/sbin/groupmems: Keine Berechtigung
[?2004htester2@lune:~$ /usr/sbin/groupmems -l [Ka tester1 tester2
[?2004l bash: /usr/sbin/groupmems: Keine Berechtigung
Serge E. Hallyn
Jan 30, 2022, 11:50:03 PM1/30/22
to
On Fri, Jan 28, 2022 at 11:29:49AM +0100, Markus Hiereth wrote:
> Package: passwd
> Version: 1:4.8.1-1
> Severity: normal
>
> Dear Maintainer,
>
>
> * What led up to the situation?
>
> Checks made for translation of man 8 groupmems
>
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
>
> Try to invoke groupmems as user and as systemadministrator
>
> * What was the outcome of this action?
>
> groupmems asked in both cases for authentification by a password, but does not specify which password is expected. There are three possibilies
> a) root password from root (however, this does not make much sense)
> b) user password for group-owning user (however, this does not make much sense)
> c) the group's password
>
> In all cases, I got a PAM authentification failure
>
> * What outcome did you expect instead?
>
> A snippet from the logfile is attached
>
> Best regards
> Markus
This is not a well understood - or well documented - command.
> Package: passwd
> Version: 1:4.8.1-1
> Severity: normal
>
> Dear Maintainer,
>
>
> * What led up to the situation?
>
> Checks made for translation of man 8 groupmems
>
> * What exactly did you do (or not do) that was effective (or
> ineffective)?
>
> Try to invoke groupmems as user and as systemadministrator
>
> * What was the outcome of this action?
>
> groupmems asked in both cases for authentification by a password, but does not specify which password is expected. There are three possibilies
> a) root password from root (however, this does not make much sense)
> b) user password for group-owning user (however, this does not make much sense)
> c) the group's password
>
> In all cases, I got a PAM authentification failure
>
> * What outcome did you expect instead?
>
> A snippet from the logfile is attached
>
> Best regards
> Markus
In order for unprivileged users to use groupmems, you must make
it setuid-root: 'chmod u+s /usr/sbin/groupmems'.
After I do this, I as user serge in group serge can do
groupmems -a testuser
to add user testuser to my group serge. I do have to provide
my own password.
-serge
Serge E. Hallyn
Jan 31, 2022, 12:10:03 AM1/31/22
to
On Fri, Jan 28, 2022 at 12:26:00PM +0100, Markus Hiereth wrote:
> Dear Maintainer,
>
> the previously reported p
> roblem is quite probable due to fact that the setup instruction on groupmems hadn't be performs.
Ah, I see, manpage recommends setgid. The instructions in
> Dear Maintainer,
>
> the previously reported p
> roblem is quite probable due to fact that the setup instruction on groupmems hadn't be performs.
the manpage are definitely not right, though. For instance,
they say to chown groupmems after the chmod, but the chown
will negate the chmod.
More importantly, groupmems will try to open a file called
/etc/group.$pid, which it will not be allowed to do just by
virtue of being setuid-group 'groups'.
So yes, the recommended setup can't work. I wonder whether
anyone actually uses groupmems, or whether we should deprecate
it.
Markus Hiereth
Feb 17, 2022, 6:10:03 AM2/17/22
to
Hi Serge,
i did a few more tests, see the logging of the console.
Findings:
- groupmems expects the password of the user who wants to add another
user to his group (as You found out too)
- groupmems does not accept the group password for his primary group
- groupmems fails in case the binary has only set the setgid
bit. Although man groupmems tells that this would be one of the
preconditions for usage (problem with locking /etc/group)
- groupmems works in case the binary has the setuid bit set (as You
found out too)
Best regards
Markus
i did a few more tests, see the logging of the console.
Findings:
- groupmems expects the password of the user who wants to add another
user to his group (as You found out too)
- groupmems does not accept the group password for his primary group
- groupmems fails in case the binary has only set the setgid
bit. Although man groupmems tells that this would be one of the
preconditions for usage (problem with locking /etc/group)
- groupmems works in case the binary has the setuid bit set (as You
found out too)
Best regards
Markus
Miha Purg
Nov 20, 2023, 2:00:06 PM11/20/23
to
Package: passwd
Version: 1:4.13+dfsg1-3
Followup-For: Bug #1004472
X-Debbugs-Cc: miha...@canonical.com
Confirming that the issue still exists in unstable.
When trying to use the command as root, the user is prompted for root's password,
which doesn't seem to be the correct behavior.
The reason seems to be a missing PAM file for groupmems:
https://github.com/shadow-maint/shadow/blob/master/etc/pam.d/groupmems
See also https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2039541
Best regards,
Miha
-- System Information:
Debian Release: 12.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
ii libc6 2.36-9+deb12u3
ii libcrypt1 1:4.4.33-2
ii libpam-modules 1.5.2-6+deb12u1
ii libpam0g 1.5.2-6+deb12u1
ii libselinux1 3.4-1+b6
ii libsemanage2 3.4-1+b5
Versions of packages passwd recommends:
ii sensible-utils 0.0.17+nmu1
passwd suggests no packages.
-- debconf information excluded
Version: 1:4.13+dfsg1-3
Followup-For: Bug #1004472
X-Debbugs-Cc: miha...@canonical.com
Confirming that the issue still exists in unstable.
When trying to use the command as root, the user is prompted for root's password,
which doesn't seem to be the correct behavior.
The reason seems to be a missing PAM file for groupmems:
https://github.com/shadow-maint/shadow/blob/master/etc/pam.d/groupmems
See also https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2039541
Best regards,
Miha
-- System Information:
Debian Release: 12.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'unstable'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-13-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=locale: Cannot set LC_ALL to default locale: No such file or directory
UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages passwd depends on:
ii libaudit1 1:3.0.9-1
LSM: AppArmor: enabled
Versions of packages passwd depends on:
ii libc6 2.36-9+deb12u3
ii libcrypt1 1:4.4.33-2
ii libpam-modules 1.5.2-6+deb12u1
ii libpam0g 1.5.2-6+deb12u1
ii libselinux1 3.4-1+b6
ii libsemanage2 3.4-1+b5
Versions of packages passwd recommends:
ii sensible-utils 0.0.17+nmu1
passwd suggests no packages.
-- debconf information excluded
0 new messages